New Clop Ransomware Encrypts Windows Processes

John Lister's picture

Researchers have spotted new ransomware with a nasty new twist. "Clop," as it's called, doesn't just encrypt files, but deliberately attempts to screw up applications as well.

The move is most likely intended to reduce the chances of the ransomware being blocked, but also means an attack could be even more disruptive and make it more likely a complete rebuild of the affected PC is necessary.

Normally ransomware's main task is to encrypt as many files as possible on a computer. The idea here is to extort the user by forcing them to pay a ransom to regain access to the locked files.

The ideal case for an attacker is to find a victim that has the money to pay the ransom, but doesn't have the capability to protect themselves against attacks or have suitable backups. The problem is that ransomware culprits often rely on a blanket distribution of malware, which means non-targeted users end up getting caught up in the attack.

600+ Windows Processes Targeted

It's not unusual for ransomware to attempt to disable security software before it begins the encryption. Often this involves cyber criminals remotely connecting to a PC with details of software to target.

However, a new variant of a well-known ransomware called Clop takes things a step further. It's got a built-in list of 663 processes to shut down before unleashing the encryption. This includes numerous applications including Microsoft Office, Notepad and even the Windows calculator tool. (Source: bleepingcomputer.com)

Ransomware Misery Increases

The precise reasons for this tactic aren't known for certain, though clearly it's not over fears that these applications could stop the ransomware working.

One theory is that it's because encrypting an open file or active process is far more difficult; in this case, the operating system denies access to the ransomware encryption because the open file or active process is in use.

It's theorized that shutting down these processes and open files would make it easier to encrypt configuration files for the applications, adding to the frustration users experience. (Source: forbes.com)

Another possibility is that this tactic could make it easier to encrypt documents and other files that the PC owner is actively using at the moment the ransomware strikes. By definition, those are the files least likely to be adequately backed up. That could make the victim more likely to pay up, particularly in organizations which rely on up-to-date data.

What's Your Opinion?

Would you consider paying ransomware? Would you worry that doing so simply encouraged further attacks? How would you cope if most or all files on your PC became inaccessible in such an attack?

Rate this article: 
Average: 5 (10 votes)

Comments

Stuart Berg's picture

You hit the nail on the head, at least for some anti-ransomware, when you said "The move is most likely intended to reduce the chances of the ransomware being blocked". I know that the anti-ransomware that I use (AppCheck Anti-Ransomware) places dummy "user type" files strategically on the hard drive (or SSD) and monitors all changes to user files. I don't know if it would find changes to system files.

raymond_tissier_3601's picture

Dont be a fool and waste your time under the desk unplugging 50 wires, breathing the spider dust, banging yur head, swearing at the dam computer, loading it in the car, getting the $200 bill, getting it home loading your progs for the next two weeks.. Arrrrrrggggggg Dont be a fool!! PAY THE RANSOME!! LIKE ALL THE OOLICE DEPARTMENTS DO AND EVERY ONE ELSE WHO WANTS TO FIX THEIR SYSTEMS... THE RANSOM IS SIMPLY A COST OF LIVING... IS IT TAX DEDUCTIBLE?? FOR INDIVIDUALS?? FOR BUSINESS?? DONT WASTE YOUR TIME.. PAY IT.

Stuart Berg's picture

That only encourages the culprits to send more ransomware.

Better yet, use excellent free backup software (i.e. Macrium Reflect) to make a complete disk image backup to an external hard drive that never is connected to the computer (except during the backup). I make frequent backups covering the last several months of use but DON'T run out of external hard drive space because each FULL backup is followed by a dozen or so DIFFERENTIAL backups (which each use much less space). My experience with my 3 TB external hard drive is that the disk image restore only takes about 20 minutes for my 270 GB of used space on my internal drive using a USB-3 port. A 4 TB external hard drive costs as little as $65 at newegg.com.

Even though I use anti-ransomware, I'm confident that I can restore my PC to yesterday's disk image if needed.

raymond_tissier_3601's picture

These hackers are in business, they run sheds full of people in Nigeria and we are talking 100s of thousands of "scamhacks" all over the world working to get your money.. they are actually legit businesses, they probably teach it at uni.. THE TROUBLE WITH MOST COMPANIES IS THAT THE CEOs DO UNDERSTAND COMPUTERS, THEY ARE 90% COST CUTTING ACCOUNTANT/GOLFERS, AND THEY DO NOT WANT TO PAY UP TO PROTECT YOUR DATA, BECAUSE THEY DONT UNDERSTAND IT AND IT DIRECTLY AFFECTS THE BOTTOM LINE, THEY DONT UNDERSTAND THAT THEY HAVE TO INVEST BIG TIME IN THEIR SOFTWARE, FROM THOSE MEANINGLESS LINES OF CODE FROM THE IDIOTS IN THE IT BASEMENT, SO THAT WE THE PUBLIC ARE PROTECTED. LOOK AT THE BOEING MAX.. THEY RISKED YOUR LIVES TO SAVE A COUPLE OF MILLION $$$ OF CODE.. AND WHAT HAS IT COST THEM? BIG $$$,$$$,$$$,$$$ OH YEAH BILLIONS AND RISING! AND LIKE I TOLD MY SON IN LAW, IF YOU ARE GOING TO FLY ON THAT MAX PLANE, THEN I WANT YOU TO UP YOUR LIFE INSURANCE TO THE MAX, $15M BECAUSE THE MAX IS NOT LIGHTNING PROOF LIKE THE OLD ALLOY SKINNED PLANES, WHERE THE LIGHTING STRIKES WOULD DANCE SAFELY ACROSS THE WING ONE SIDE OVER THE FUSELAGE TO THE OTHER WING BEFORE LEAVING! NO IN THE MAX LIGHTENING GOES RIGHT THRU THE WING, FUEL TANKS AND ALL.. PICK ANOTHER AIRCRAFT MY SON SO YOU AND YOUR FAMILY CAN ENJOY YOUR LIVES TOGETHER. (ps sorry bout the caps lock) and yes i know the max has i believe copper threads woven into the Kevlar fibers to protect from lightning.. but ive seen the lightning test results in England and the strikes go right through it!)