Clone ransomware is a member of the notorious Dharma ransomware family, identified during a routine analysis of malicious submissions on VirusTotal. This ransomware encrypts files on compromised devices and demands payment in exchange for decryption tools.
Threat Summary
| Attribute | Details |
|---|---|
| Name | Clone ransomware |
| Threat Type | Ransomware, Crypto Virus, Files Locker |
| Encrypted Files Extension | .Clone (files appended with a unique ID and attackers’ email address) |
| Ransom Note File Name | clone_info.txt |
| Cyber Criminal Contact | CloneDrive@mailum.com, CloneDrive@tuta.io |
| Detection Names | Combo Cleaner (Trojan.Ransom.Crysis.E), DrWeb (Trojan.Encoder.3953), ESET-NOD32 (Win32/Filecoder.Crysis.P), Kaspersky (Trojan-Ransom.Win32.Crusis.to), Microsoft (Ransom:Win32/Wadhrama!pz) |
| Symptoms of Infection | Inaccessible files with a new extension, ransom note displayed, and demand for payment in cryptocurrency. |
| Damage | Encrypts all personal files, possible installation of additional malware, and potential data theft. |
| Distribution Methods | Infected email attachments, torrent websites, malicious ads, phishing, and drive-by downloads. |
| Danger Level | High |
Remove annoying malware threats like this one in seconds!
Scan Your Computer for Free with SpyHunter
Download SpyHunter now, and scan your computer for this and other cybersecurity threats for free!
How Clone Ransomware Operates
Clone ransomware primarily targets individual files by appending a .Clone extension and creating ransom notes in the form of text files and pop-up windows. These notes instruct victims to contact the attackers via email for decryption instructions, emphasizing that third-party assistance should be avoided.
Key Characteristics
- File Encryption: Local and network-shared files are encrypted using strong algorithms, rendering them inaccessible.
- Exclusion List: Ensures no double encryption and excludes certain processes to maintain functionality.
- Persistence: Copies itself to
%LOCALAPPDATA%and modifies system settings for auto-execution after reboot. - Geolocation-Based Targeting: May avoid devices in specific regions based on geopolitical or economic factors.
- Data Recovery Hindrance: Deletes Volume Shadow Copies, eliminating the possibility of system recovery.
Removal Guide for Clone Ransomware
Remove annoying malware threats like this one in seconds!
Scan Your Computer for Free with SpyHunter
Download SpyHunter now, and scan your computer for this and other cybersecurity threats for free!
Step 1: Disconnect from the Internet
Immediately disconnect the infected device from the internet to prevent further data encryption or malware communication.
Step 2: Boot into Safe Mode
- Restart your computer and press
F8(or the designated key for your system) before the Windows logo appears. - Select Safe Mode with Networking and press Enter.
Step 3: Use SpyHunter to Detect and Remove Clone Ransomware
SpyHunter is an advanced anti-malware tool that can identify and remove Clone ransomware effectively:
- Download SpyHunter from a trusted source using an uninfected device.
- Transfer the installation file to the infected system via USB drive.
- Install and run SpyHunter to perform a full system scan.
- Follow the prompts to quarantine and remove all detected threats.
Step 4: Restore Files from Backup
If you have previously backed up your files to an external or cloud storage, restore them after ensuring the system is clean.
Prevention Methods to Avoid Future Infections
- Strengthen RDP Security:
- Use strong, unique passwords and two-factor authentication for RDP access.
- Restrict RDP access to trusted IP addresses.
- Exercise Email Caution:
- Avoid opening unsolicited emails or clicking on unknown attachments and links.
- Verify the sender’s identity before downloading files.
- Update and Patch Software: Regularly update your operating system, software, and antivirus to patch vulnerabilities.
- Use Reliable Security Tools: Install robust antivirus and anti-malware programs like SpyHunter to detect and block threats.
- Create Regular Backups: Store backups in multiple secure locations, including offline storage and cloud services.
- Avoid Pirated Software: Only download software from trusted sources to avoid bundled malware.
- Monitor Network Traffic: Use firewalls and network monitoring tools to detect unusual activity.
Conclusion
Clone ransomware is a dangerous threat designed to extort victims by encrypting their files and demanding ransoms. Although removal is possible using tools like SpyHunter, recovering files without backups remains challenging. Implementing robust security practices and maintaining regular backups are essential to protect against ransomware attacks.
Remove annoying malware threats like this one in seconds!
Scan Your Computer for Free with SpyHunter
Download SpyHunter now, and scan your computer for this and other cybersecurity threats for free!
Ransom Note Details
Upon infection, Clone ransomware drops a ransom note both in a pop-up window and as a text file named clone_info.txt. This note demands that the victim contact the cyber criminals via email to pay the ransom. The attackers suggest that the decryption process is possible but caution against seeking help from third parties, likely to prevent the use of alternative decryption methods.
Here is a summary of the text presented in the pop-up and ransom note:
Pop-up Message:
CLONE
YOUR FILES ARE ENCRYPTED
Don't worry, you can return all your files!
If you want to restore them, write to the mail: CloneDrive@mailum.com YOUR ID -
If you have not answered by mail within 24 hours, write to us by another mail: CloneDrive@tuta.io
ATTENTION
CloneDrive does not recommend contacting agent to help decode the dataRansom Note Text File (clone_info.txt):
You want to return?
write email CloneDrive@mailum.com or CloneDrive@tuta.io
