45 billion if you want ransomware to be unlocked!

Organization Clop ransomware discovers vulnerabilities to distribution firms.

Chat Web sites opened in the dark to discourage companies and negotiations from applying double blackmail to spilled products.
In ‘Ransom note,’ saying ‘Hi Dear K Mall’ quit during an attack discuss clear requirements that the person singular .

Tuesday, November 24, 2020, 10:34 GMT

At a distribution-related business, a ransomware attack took place, and a communication between a ransomware attacking entity and a person suspected of being a victim was discovered on the dark web. Around the same time as the ransomware attack, it appears the perpetrator leaked data and used it for bargaining.

There are 17 organizations that have leaked Klop’s records, according to the Clop ransomware research report published by S2W LAB, and the leaked data contains not only big employee account information, but also accounting-related information. Moreover a connection to the dark web chat page for negotiation is included in the document file (aka ransom note) that leaves the negotiation conditions after encrypting the details.

Notably, the ransom note that appeared in the recent attack starts with the sentence’Hello Dear K Mall’. Here,’K Mall’ can be estimated as a domestic shopping mall. In the case of the ransom note discovered in the past, a message targeting an unspecified number of people was included, such as’your network is breached’, while the ransom note found in this attack contains a message directed to a specific target.

When accessing the dark web page guided by the attacker using a browser such as Tor, a window for real-time conversation with the other party appears. In addition, it is operated in a corporate form such as a decryption demo along with chat, an introduction to Clop ransomware, and guidance on how to purchase Bitcoin.

Looking at the conversation between the attacking organization and the victim, the victim was asked for 40 million dollars in bitcoin as a negotiation fee, and when this was paid, about 2 million leaked card information was deleted and encrypted files. He also offered to recover. If they did not comply with the proposal, they were threatened to disseminate card information and force the company to pay a fine.

The victim offered $4 million for negotiations, but the attacker offered another $36 million, and although he had never done anything to anyone, he was nervous, saying he would give him a special 10% discount. In addition, the victim seems to be a company related to distribution, as it is said that the victim can earn money again during periods such as Black Friday, Christmas and New Year.

In the beginning of last year, Klopp was known in Korea by attacking with the main target of corporate AD servers. It attacks not only the Internet but also Windows-based backup servers connected to the intranet and damages them beyond recovery. The attack method mainly uses malicious file installation through email, remote desktop vulnerability, and VPN vulnerability. In particular, one security expert said that if a company does not compensate for the’Windows Zero Logon’ vulnerability (CVE-2020-1472), the internal network It was explained that there is a high possibility that the ransomware has spread to the central server.

Jong-Hyun Moon, head of the East Security Security Response Center, said, “Unlike the past, which was aimed at an unspecified number of ransomware attacks, the recent ransomware attack is being carried out with APT targeting a specific company. In the case of the ware organization, when the negotiations actually break, the dark web is distributing corporate data through its own server.”

Meanwhile, in Korea, on Sunday, E-Land Group was attacked by ransomware, and the stores under E-Land Retail (NC Department Store, New Core Outlet, Kim’s Club, etc.), one of the subsidiaries, were injured. E-Land announced that it formed a task force team to respond to the infringement incident and began to resolve the situation, and said that it is safe because customer information is kept in an encrypted state.