March 20, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Mirai Botnet aka Katana – Active IOCs
June 9, 2023Rewterz Threat Alert – APT37 aka GoldBackDoor Group – Active IOCs
June 9, 2023Rewterz Threat Alert – Mirai Botnet aka Katana – Active IOCs
June 9, 2023Rewterz Threat Alert – APT37 aka GoldBackDoor Group – Active IOCs
June 9, 2023
Severity
High
Analysis Summary
Clop ransomware first appeared in 2019, which employs the .clop extension after encrypting the victim’s data. It has become a common threat to organizations and corporations. Additionally, it is found that Clop attacks a victim’s whole network as instead of just certain PCs.
To obtain initial access, the threat actors use a well-established network of affiliates. They then send a large number of spear-phishing emails to workers of an organization to induce infection.
Industrial enterprises were the target of 45% of Clop ransomware attacks, while IT companies were the target of 27% of these attacks.
The lull in the Clop ransomware gang’s activities may be easily explained by the fact that some of its infrastructures were shut down in June 2021 as a result of a global law enforcement operation known as Operation Cyclone, which was coordinated by INTERPOL.
Ransom Note:
Impact
- File Encryption
Indicators of Compromise
MD5
- 8752a7a052ba75239b86b0da1d483dd7
- 254a38e39d8cefb28ab838064d5f93f9
- c41a0e1ddeb85b6326a3dc403a5fd0fa
SHA-256
- 3320f11728458d01eef62e10e48897ec1c2277c1fe1aa2d471a16b4dccfc1207
- 88af8d2ab468802fcb2a8ab7c4e9d99b01b3b5a07f57584ac387ed8dd8e8d8bc
- d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9
SHA-1
- 6eeef883d209d02a05ae9e6a2f37c6cbf69f4d89
- a2c9968368037484304752f08212db1b4e400dcf
- 3c8e60ce5ff0cb21be39d1176d1056f9ef9438fa
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
- Emails from unknown senders should always be treated with caution.
- Never trust or open links and attachments received from unknown sources/senders.