Since it first emerged on the scene, CLOP Ransomware the number of attacks it has been deployed in have been constantly increasing, with a major increase being experienced during October 2020.

Since that spike in the deployment of CLOP ransomware there have been many different incidents witnessed on large organizations that have been accompanied with huge ransom demands – in one particular incident a attack on Software AG came with a ransom demand issued for $20m.

Similar to many other attacks conducted by ransomware groups , the CLOP ransomware gang steals data before encrypting files. If victims have an authentic backup and try to retrieve their encrypted files without handing over the ransom requested, the group will release stolen data on the darkweb making it available to other hacking operations. The media are made aware of the data dumps, and the following coverage can lead to businesses suffering serious reputational harm. In recent months there have been many class action lawsuits reported after ransomware attacks where stolen data has been leaked over the Internet.

CLOP ransomware is thought to have been conducted by a ransomware group called FIN11, which is an off shoot of a prolific Russian cybercriminal called TA505. FIN11 has focused on many different sectors, although recently production, health and retail have been concentrated on. When attacks are launched on groups and businesses in these sectors, the losses from downtime can be significant, which increases the chances of victims handing over the ransom.

Many ransomware groups have focused on flaws in Remote Desktop Protocol, VPN solutions, and weaknesses in software and operating systems to obtain they access they need to internal networks to place ransomware. However, the first attack vector in CLOP ransomware attacks (and also many other ransomware strains) is spam email. Large scale spam campaigns are carried out, often focusing on certain industry sectors or geographical locations. These are called “spray and pray” campaigns. The hope is to obtain access to as many networks as possible. The ransomware gang can then select which businesses are worthwhile attacking with ransomware.

Once CLOP ransomware is downloaded, detection can be tricky as the threat group has programmed the ransomware to turn off antivirus software such as Microsoft Security Essentials and Windows Defender. The trick to preventing attacks is to stop the first infection, which means stopping the spam emails from reaching inboxes where they can be opened by staff.

Preventing the attacks can be done by using advanced spam filtering solution with robust antivirus protections. SpamTitan, for example, uses dual antivirus engines to catch known malware strains and sandboxing to spot dangerous files including previously unknown malware, ransomware, or malicious scripts. Machine learning processes are also used to spot new threats in real time.

The spam emails used in these campaigns try to steal details such Office 365 logins and passwords or get users to install malware downloaders. Extra protection against this phase of the attack can be supplied by a web filter such as WebTitan. WebTitan prevents the phishing component of these attacks by stopping these malicious URLs from being accessed by employees, as well as preventing downloads of malware from the Internet.

Employee training is also crucial for helping employees spot phishing emails and multi-factor authentication should be turned on to spot stolen details from being used to access email accounts and cloud apps.

If you want to enhance your security measure in the face of ransomware, malware and phishing campaigns, call the TitanHQ team now for a SpamTitan and WebTitan free trial.