The Federal Bureau of Investigation (FBI) issued a high-impact threat warning to U.S. businesses and organizations on October 2, 2019. That threat was ransomware, and the FBI warned that cybercriminals “upgrade and change their techniques to make their attacks more effective and to prevent detection.” Although often dismissed as old news by some, that the City of New Orleans recently declared a state of emergency following an attack should be proof enough that ransomware remains a real and present danger. Now an already successful piece of ransomware malware, behind the December 23 attack that encrypted “almost all Windows systems” at Maastricht University, has evolved to become even more of a threat to Windows 10 users. Security researchers have revealed that the latest Clop ransomware variant will now terminate a total of 663 Windows processes before file encryption commences. Clop can kill a host of Windows 10 and Microsoft Office applications. Here’s what is known so far.
A brief history of Clop
Clop first emerged as a pretty straightforward variant of the CryptoMix ransomware family back in March 2019. At the time, it didn’t appear to be anything particularly out of the ordinary, not least as CryptoMix had been making a nuisance of itself since March 2016. However, even in those early days, the threat actors behind Clop were looking to tweak the malware threat: Clop started targeting entire networks rather than just individual Windows machines.
Lawrence Abrams, writing for Bleeping Computer on November 22, 2019, noted that Clop had evolved to attempt the disabling of Windows Defender, and the removal of Microsoft Security Essentials and Malwarebytes’ Anti-Ransomware protections. It was thought that the Russian-speaking TA505 threat group was behind the Clop attacks at the time. The most recently reported, and certainly the biggest, of the Clop attacks hit Maastricht University in the Netherlands on December 23, 2019.
Clop evolves to become Windows 10 app-killing threat
Windows 10 is something of a perennial favorite target amongst threat actors. From the advanced persistent threat (APT) attack groups like Thallium, which Microsoft recently countered with a decisive counterpunch, through to the Snatch Team of cyber-criminals which implemented “devious and evil” malware to bypass Windows 10 security software during attacks as reported in December 2019.
It should, therefore, come as little surprise that the actors behind Clop would have put time and effort into adapting the malware code to target Windows processes. Ransomware will commonly attempt to disable security software, that much is a given. However, a Bleeping Computer report has now confirmed that a Clop variant reverse-engineered at the end of 2019 can now terminate a total of 663 Windows processes. “It is not known why some of these processes are terminated,” Bleeping Computer editor-in-chief, Abrams, said, “especially ones like Calculator, Snagit, and SecureCRT, but it’s possible they want to encrypt configuration files used by some of these tools.” It’s also possible that the threat actors are merely trying to ensure as many files as possible are closed as being open might mean they couldn’t be successfully encrypted.
What we can say for sure is that the Clop Windows processes closedown is unexpectedly large, with all sorts of typical applications impacted. The full list is found in researcher Vitali Kremez’s report here. When you realize that Acrobat, Calculator, Edge, PowerPoint, Skype, Word and even the new Windows 10 Your Phone app are targeted, it’s clear this is a broad brush being applied. What’s more, these are not being closed by way of a Windows batch file. Instead, Clop has embedded the closedown functionality into the malware executable itself.
How to mitigate the Clop ransomware risk
As with all ransomware threats, the best mitigation is to be prepared. That means being cyber aware: understanding how malware is distributed helps users to spot the kind of emails and attachments that are dangerous and take appropriate action. Ensuring that systems and applications are patched with the latest security updates is also best practice, vulnerabilities in browsers are often exploited by threat actors to install ransomware, for example. Beyond user education and proper patch management, the application of controlled folder access is also recommended to prevent ransomware from successfully executing its encryption intentions. Any ransomware mitigation advice would be lacking were it not to mention that the three, two, one rule of backups should also be in place. That means that backing up your files regularly isn’t optional folks, and those backups should ideally be onto two different types of storage media and one “offsite” location.