Clop ransomware evolves as app-killing malware for Windows 10

News by Chandu Gopalakrishnan

A Clop ransomware variant can now take down a total of 663 Windows processes including new Windows 10 apps, programming languages, debuggers, terminal programs, and programming IDE software

A Clop ransomware variant can now take down a total of 663 Windows processes, reported Bleeping Computer. 

The ransomware was discovered by Michael Gillespie at MalwareHunterTeam in February 2019. The malware has been evolving since then, McAfee researchers Alexandre Mundo and Marc Rivero Lopez noted in August.

"Clop is a variant of the CryptoMix ransomware family, but has been evolving rapidly in the last year to disable an increasingly large number of windows processes," Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK.

The latest variant of Clop was found in late December 2019 by MalwareHunterTeam. Vitali Kremez of MalwareHunterTeam reverse engineered the variant and found that Clop now terminates 663 Windows processes -- including new Windows 10 apps, programming languages, debuggers, terminal programs, and programming IDE software -- before encrypting files.

"The main goal of Clop is to encrypt all files in an enterprise and request a payment to receive a decryptor to decrypt all the affected files," read the McAfee report in August. 

"To achieve this, we observed some new techniques being used by the author that we have not seen before. Clearly over the last few months we have seen more innovative techniques appearing in ransomware."

Vitali Kremez's report lists Calculator, Acrobat, Office applications, Edge, Skype, and even the new Windows 10 Your Phone app as vulnerable to the new Clop variant.

"The fact that it can disable so many processes is quite worrying, and lessens the reliance organisations can place on their endpoint controls," said Malik. 

However, this can be contained with effective anti-phishing tactics, he noted. 

"Like many other ransomware variants, this is primarily spread through phishing or similar techniques. Therefore, delivering effective and timely security awareness and training to staff is vitally important so that they can identify and report any suspected attacks."

Apart from regular software patching and hardware updation, educating yourself and the workforce on the consequences of clicking malicious emails or links goes a long way in countering ransomware attacks, said David Kennefick, product architect at edgescan. 

"Email phishing remains the most popular choice for attackers, so not clicking attachments from unknown correspondents will lower the chances of being attacked. Have antivirus software installed with the latest updated signatures and ensure system/device backups are conducted on a regular basis. This will help reduce the overall impact that an attack may have. Especially with strains such as Clop, which can disable so many processes, prevention is the preferred strategy as opposed to reactive."

Outpost24 offensive security manager Hugo van den Toorn too stressed on the importance of awareness in countering the ransomware threat.

"Many malware variants are still delivered through phishing or malvertising: both trick users into clicking a link, downloading malicious software and running it," he told SC Media UK.

"Before clicking anything, ask yourself what you are about to do. Why are you clicking this link, why are you visiting this website and why would you download this file? In any way; if you are presented with anything you did not ask for, don’t click it. And if something is too good to be true, it probably is."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews