

The malware checks that the layout is bigger than the value 0x0437 (Georgian), makes some calculations with the Russian language (0x0419) and with the Azerbaijan language (0x082C). This function returns the user keyboard input layout at the moment the malware calls the function. The malware’s first action is to compare the keyboard of the victim computer using the function “GetKeyboardLayout” against the hardcoded values. This malware is prepared to avoid running under certain conditions, for example in the first version it requests to be installed as a service if that will not succeed, it will terminate itself.

We discovered the following Clop ransomware samples which were signed with a certificate: This sample was discovered by MalwareHunterTeam ( ) on the 26 February, 2019. Although this initial certificate was revoked in a few days, another version appeared soon after with another certificate: Signing a malicious binary, in this case ransomware, may trick security solutions to trust the binary and let it pass. Packer signed to avoid av programs and mislead the user The sample we analyzed was also signed with the following certificate in the first version (now revoked):įIGURE 1. The Clop ransomware is usually packed to hide its inner workings.

Clearly over the last few months we have seen more innovative techniques appearing in ransomware. To achieve this, we observed some new techniques being used by the author that we have not seen before. The main goal of Clop is to encrypt all files in an enterprise and request a payment to receive a decryptor to decrypt all the affected files. There are some variants of the Clop ransomware but in this report, we will focus on the main version and highlight part of those variations. This blog will explain the technical details and share information about how this new ransomware family is working. This new ransomware was discovered by Michael Gillespie on 8 February 2019 and it is still improving over time.
