Clop Ransomware



SonicWall Capture Labs Threat Research Team recently found a new sample and activity for the “Clop” ransomware. The unique parts of the sample use Asymmetric Encryption and use the Mersenne Twister pseudo-random number generator. The sample will encrypt only files created in 2019. The sample will check for Anti-Virus software installed such as Malwarebytes before going into the final stages of the ransomware.

The sample will also do the following:

  • Delete the shadow volumes with vssadmin (“vssadmin Delete Shadows /all /quite”).
  • Resize the shadow storage for devices starting from C to H to avoid the shadow volumes being recreated.
  • Using bcedit to disable the recovery options in the boot config and ignore any failures.
  • The service: “WdiSystemSHost” is created.

Sample Static Information:

Unpacking The Sample:

Lets peer into the starting routine of the first stage:

First stage buffer or code cave:

After the buffer is created it will decrypt and copy code into the code cave:

Calling the decrypted code cave:

The code cave will have the second stage compressed:

After decompression, the PE in memory:

Dumping Second Stage:

Second Stage Static Information:

Unpacked Starting Routine:

Asymmetric Public Key:

Mersenne Twister Indicators:

First Call To MT, the byte_419000 is the character array in which the Mersenne Twister Engine is used on:

Range of engine:

GetTickCount is used with the engine:



Anti-Virus Checks:

Shell Execute Commands:

Open image in new tab to see larger version of the picture.

Service Activity:

The service name is: “WdiSystemSHost”

Service procedure and controls:

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Clop.RSM_2 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.