CLOP Ransomware Now Terminates 663 Processes Before Encrypting Your Files (Jan 7, 2019)
“CLOP” ransomware has recently evolved into a more sophisticated trojan, reportedly terminating a total of 663 processes before encrypting any files. CLOP ransomware, reportedly used by Russian cyber threat group “TA505,” has been in circulation since February 2019 and is a CryptoMix ransomware variant, with similar features seen within this family of ransomware since 2017. According to MalwareHunterTeam and reverse engineer Vitali Kremez, this new version of CLOP disables processes like Adobe Acrobat, Microsoft Office applications, notepad and notepad++, among others, allowing CLOP to encrypt more popular file types. In December 2019, CLOP had infected the University of Maastricht in the Netherlands, disabling all Windows systems. The university is investigating the attack, trying to determine whether actors were able to gain access to scientific data. It is suspected that TA505 is behind the attack, as they have adopted CLOP ransomware as their final payload of choice in other attributed attacks.
Recommendation: Proper file storage and backup systems are crucial to have in place as a precautionary security measure. In the case of ransomware infection, the affected system must be wiped and reformatted, and other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.