Sage advice from Davey Winder coming on the back of evloution in ransomware…:
[…] Windows 10 is something of a perennial favorite target amongst threat actors. From the advanced persistent threat (APT) attack groups like Thallium, which Microsoft recently countered with a decisive counterpunch, through to the Snatch Team of cyber-criminals which implemented “devious and evil” malware to bypass Windows 10 security software during attacks as reported in December 2019.
It should, therefore, come as little surprise that the actors behind Clop would have put time and effort into adapting the malware code to target Windows processes. Ransomware will commonly attempt to disable security software, that much is a given. However, a Bleeping Computer report has now confirmed that a Clop variant reverse-engineered at the end of 2019 can now terminate a total of 663 Windows processes. “It is not known why some of these processes are terminated,” Bleeping Computer editor-in-chief, Abrams, said, “especially ones like Calculator, Snagit, and SecureCRT, but it’s possible they want to encrypt configuration files used by some of these tools.” It’s also possible that the threat actors are merely trying to ensure as many files as possible are closed as being open might mean they couldn’t be successfully encrypted.
What we can say for sure is that the Clop Windows processes closedown is unexpectedly large, with all sorts of typical applications impacted. The full list is found in researcher Vitali Kremez’s report here. When you realize that Acrobat, Calculator, Edge, PowerPoint, Skype, Word and even the new Windows 10 Your Phone app are targeted, it’s clear this is a broad brush being applied. What’s more, these are not being closed by way of a Windows batch file. Instead, Clop has embedded the closedown functionality into the malware executable itself.
How to mitigate the Clop ransomware risk
As with all ransomware threats, the best mitigation is to be prepared. That means being cyber aware: understanding how malware is distributed helps users to spot the kind of emails and attachments that are dangerous and take appropriate action. Ensuring that systems and applications are patched with the latest security updates is also best practice, vulnerabilities in browsers are often exploited by threat actors to install ransomware, for example. Beyond user education and proper patch management, the application of controlled folder access is also recommended to prevent ransomware from successfully executing its encryption intentions. Any ransomware mitigation advice would be lacking were it not to mention that the three, two, one rule of backups should also be in place. That means that backing up your files regularly isn’t optional folks, and those backups should ideally be onto two different types of storage media and one “offsite” location.