Posted on January 6, 2020 at 9:46 AM

Clop Ransomware Evolves, Now can Terminate 663 Windows Processes

On October 2, last year, the Federal Bureau of Investigation (FBI) warned organizations and businesses about app-killing malware. The ransomware threat, according to the FBI, has been upgraded by hackers to make it more difficult to detect but more effective in attack.

The Investigative unit urged organizations to be wary of such threats to their systems. And the state of emergency recently declared by the City of New Orleans is a good pointer that ransomware is a big threat to systems.

Ransomware becoming more powerful

On 23 December, last year, there was another ransomware attack at the Maastricht University, which infiltrated almost all Windows systems. Now the FBI is saying the ransomware is even stronger and more devastating because the hackers have upgraded it.

It has been evolved to become an even more hazard to Windows 10 users. Also, security researchers have warned that the Clop ransomware has the capability of ending about 663 Windows 10 processes even before the file encryption processes begin. According to the researchers, Clop ransomware can kill several Microsoft Office and Windows 10 applications within a limited space of time.

The Clop ransomware was first discovered as a simple modification of the cryptoMix ransomware in March, last year. By then, there wasn’t anything particularly extraordinary about the malware. However, the ransomware suddenly stopped targeting individual windows machines to do more devastating work by targeting the entire networks. That was when cyber-security researchers started paying more serious attention to the activities of the ransomware.

At the time, researchers thought that Russia’s TA505 threat group was responsible for the Clop attacks, including the attack on Maastricht University on Dec 23, 2019.

Even before then, the cryptoMix ransomware had been causing a lot of nuisance, albeit on a smaller scale.

Clop ransomware can dislodge Microsoft Security essentials

While reporting to Bleeping Computers on Nov 22, last year, security researcher Lawrence Abraham said that Clop has now upgraded to the extent of dislodging Microsoft Security essentials and destabilizing Windows Defender. He also said the ransomware is even capable of fighting off Malwarebyte Anti-ransomware protection on Windows.

Clop upgrading as a Windows App-killing menace

Threat actors have often favored the target of Windows 10. There have been a series of attacks on Windows 10, including the Snatch cyber syndicates that implemented the bypass malware and from APT attack syndicates like Thallium. Microsoft has been able to nullify most of these threats, which did not cause heavy damage.

However, the actors pushing the Clop malware had spent a long time and effort to make the malware more adaptable and more devastating to Windows processes.

Generally, normal ransomware would try to disable security software before they try to cause havoc on the host system. But the report from Bleeping Computer revealed that Clop could do much more than that.

The upgraded ransomware is capable of terminating about 663 Windows processes. Although it’s still not clear why it could terminate some of these processes, Abrams, who is the editor-in-chief at Bleeping Computers, reported that the ransomware might be looking for encrypted configuration files for some of these programs. It could also be because the threat actors are making sure that many files are closed to make them successfully encrypted.

According to him, the most common terminated files by the Clop ransomware include SecureCRT, Snagit, and the Calculator program.

Abrams also said the closedown process of the Clop ransomware is unreasonably high, with different types of applications impacted. When programs like Word, Skype, PowerPoint, Edge, Calculator, and Acrobat as all targeted, it’s a clear indication that the actors are targeting a broader sweep.

The worst part is the fact that Clop does not terminate the files through a Windows batch file. Rather, Clop entrenched termination functionality into the executable ransomware. According to the researchers, that’s when it can even do more devastating damage.

Mitigating the risk of Clop ransomware

Just like any other ransomware, the ideal way to combat the threat is to be fully aware and prepared. When users understand how the malware operates to infiltrate the system, it will help them fashion out a more appropriate defense mechanism for such malware.

Another practice is to make sure that the system has the latest security updates. It’s also good for users to study the activities of most of the malware because they are threats to a wide range of systems and applications. According to researchers, when users are aware of the activities of malware, it would help them get prepared and keep the malware off their system.