Clop

Clop ransomware, a variant of CryptoMix, was first discovered in February 2019 and share similar TTP's with Ryuk and BitPaymer. There are many variants of Clop, though a consistent technique observed is the use of executables that have been code-signed with a digital signature in an attempt to appear legitimate and bypass security software detection. Clop will first attempt to stop numerous Windows services and processes in an effort to disable antivirus software and close all files to allow for encryption. During the next phase, the ransomware will create a batch file (file names vary depending on the variant) in an attempt to disable Window’s automatic startup repair, and remove and resize shadow volume copies. Like CryptoMix, Clop has been observed proliferating through brute force of Remote Desktop Protocols (RDP), as well as some variants propagating through spear-phishing emails. It is important to note that some variants claim that they have compromised the entire network rather than just the originally compromised device, but at the time of this writing researchers determined that Clop does not have the ability to self-propagate through the network.

Technical details

• Technical details and IOCs can be found in the McAfee Labs blog.
• Please see Bleeping Computer’s article for further reporting and IOCs.

Reporting

• November 2019: The Clop ransomware attempts to disable Windows Defender as well as remove Microsoft Security Essentals and Malwarebytes . (Bleeping Computer)
• 01/03/2020: Though it is not uncommon for ransomware to terminate processes before encrypting files, this new variant terminates a total of 663 processes in an attempt to ensure encryption of tools and configuration files. Additionally, this variant appends encrypted files with a .Cl0p extension.