CLOP Ransomware and a Triple-Whammy Attack

Posted by Geraldine Hunt on Thu, Feb 11th, 2021

CLOP Ransomware attacks can cause serious damage to any organization. Discover what can happen when you don’t protect your organization from such attacks.

Productivity is a vital part of ensuring that operations and business runs smoothly. If a business stalls, the company is left vulnerable. A recent cyber-attack involving CLOP ransomware caused major German manufacturer, Symrise to halt operations. The attack on Symrise IT systems resulted in the theft of 500 GB of unencrypted files with around 1,000 devices encrypted and made useless.

2020 saw a surge in ransomware attacks, including the variant, CLOP; in Q3 of last year, ransomware attacks were up 40%. Ransomware costs are spiraling and the impact on business operations is painful. A demand of $20 million was expected of Software AG, a recent victim of CLOP ransomware.

Ransomware is an insidious and dangerous malware. Firms must worry about the ransom, the impact on productivity from the subsequent downtime, and in the case of CLOP, the theft of corporate and customer data.

CLOP or CL0P Ransomware, The Facts

CLOP is associated with the renowned threat actor group, FIN11, part of the larger TA505 group. They are a prolific cyber-threat group, with recent attacks on manufacturing, healthcare, and retail. Last year, the gang targeted South Korean retailer, E-Land with the result that 23 of its stores had to close while dealing with the infection. The company published a public statement in which they made note of damage caused by the ransomware to their IT network. CLOP is a type of ransomware that knows no bounds. The malware threatens networks and data, encrypting files and stealing information for later use.

Some Facts About CLOP

Why is the Ransomware Named CLOP? CLOP, spelled with an O or a zero (0), is so-named because it appends encrypted files with the xxx.Clop extension for identification purposes. Infection generates a text file "ClopReadMe.txt".

How is Clop Transmitted? The mode of transmission of CLOP ransomware is usually via spam emails, trojans, and fake software updates.

The Ransom Note: On infection by CLOP ransomware, affected files are encrypted. The CLOP readme.txt file states that “files on each host on the network have been encrypted with a strong algorithm”. It goes on to warn that “backups were either encrypted or deleted or backup disks were formatted”. The message also offers the reader a decryption key on responding to an email address in the message.

Double-extortion: CLOP uses the ‘double-extortion’ technique. This technique facilitates the theft of the data before encrypting it on company network drives. This allows the ransomware cybercriminal(s) to extort money by selling a decryption key and to pay the cybercriminals to not expose the data. If the organization refuses to pay, the cybercriminals will post the stolen files to their ransomware website, “CL0P^_- LEAKS”.

Spray and Pay: Researchers have identified a tactic known as ‘spray and pay’ used by the group. This technique is based on the mass mailout of spam emails. The phishers then choose which network to target, based on the results of the phishing campaign. The researchers found that the choice of target was based on “sector, geolocation or perceived security posture”.

Detecting CLOP: CLOP is designed to evade detection. Newer versions of CLOP ransomware, attempt to disable and remove locally installed anti-virus software, including Windows Defender and Microsoft Security Essentials.

STOP CLOP Ransomware Infection

CLOP ransomware is cleverly designed to evade detection by commonly used endpoint installed anti-virus software. However, the ransomware’s mode of infection is like many other malware attacks. Mass phishing email campaigns are a common vector for ransomware. As such, certain methods are used to mitigate against infection by CLOP ransomware:

• Use multi-factor authentication (2FA/MFA) to control access to local and cloud apps.
• Train all staff to recognize the typical signs of a phishing email.
• CLOP can circumvent local anti-virus tools. Augment these tools using a Web Content Filtering platform. This stops an employee from opening phishing websites used to infect the network with CLOP ransomware.
• Stop CLOP at source by using an email protection service to stop spam emails before they hit employee devices. Certain best-of-breed email protection systems will proactively protect Office365 email, performing an anti-virus check on any incoming emails.
• Use a monitoring system designed for malicious threats like CLOP ransomware. These systems leverage smart technologies such as machine learning to detect threats in real-time. Unlike traditional anti-virus software, smart monitoring platforms perform real-time updates and protect against active and emerging phishing URLs.

Researchers have attributed the increase in CLOP ransomware and other malware attacks, to the remote working phenomenon caused by the pandemic. Remote working has challenged IT and security departments, making it harder to manage and secure devices used by a remote workforce, especially personal devices. As ransomware developers continue to innovate to evade detection it takes a more intelligent approach to contain phishing attacks and subsequent malware infection. By making proactive security decisions on how to mitigate against ransomware attacks like CLOP, you can ensure your organization is protected against ransom by a triple-whammy attack.

How can you protect your organization against CLOP Ransomware? The use of an advanced web security solution such as WebTitan will help protect your organization against all ransomware attacks. Discover how to protect your organization from ransomware with WebTitan today. Start free trial today.