RANSOM is the Trend Micro detection for most ransomware. Most ransomware are known to restrict the user from fully accessing the system. It also encrypts files and demands a ransom to be paid in order to decrypt or unlock the infected machine.
Ransomware infects computers through various means. Most of ransomware come as a macro or JavaScript attachment in spammed email. Some are delivered as a link, also in spammed email. Others are delivered by exploit kits. Some others are delivered via malvertisements or compromised websites.
To prevent ransomware, users should use protection that also covers against spam and malicious links. Also, make sure to regularly create backup copies of all important files.
This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It may be unknowingly downloaded by a user while visiting malicious websites. It may arrive using one or multiple arrival methods.
Behaviors
- Resides in memory
- Created mutex
- Created multiple copies of a file
- Process Termination
Capabilities
- Backdoor commands
Impact
- Compromise system security - with backdoor capabilities that can execute malicious commands
Infection Routine
Click image to enlarge.
File Reputation
| Detection/Policy/Rules | Pattern Branch/Version | Release Date |
|---|---|---|
| BKDR_CLOP.A | 5.883.00 | April 7, 2009 |
| BKDR_CLOP.WA | 6.893.00 | March 4, 2010 |
| BKDR_CLOP.WC | 6.875.00 | February 25, 2010 |
| Ransom.Win32.CLOP.D | 14.831.00 | February 22, 2019 |
| Ransom.Win32.CLOP.D | 14.831.00 | February 22, 2019 |
| Ransom.Win32.CLOP.F | 14.847.00 | March 2, 2019 |
| Ransom.Win32.CLOP.F.note | 14.847.00 | March 2, 2019 |
| Ransom.Win32.CLOP.M | 15.275.00 | August 3, 2019 |
| Ransom.Win32.CLOP.THBAAAI | 14.807.00 | February 11, 2019 |
| Trojan.BAT.CLOP.A | 14.857.00 | March 7, 2019 |
| Trojan.BAT.CLOP.A.component | 14.831.00 | February 22, 2019 |
| Trojan.Win32.CLOP.A.note | 15.275.00 | August 3, 2019 |
Behavior Monitoring
| Pattern Branch/Version | Release Date |
|---|---|
| 1801 | 06/29/2018 |
Predictive Machine Learning
| Detection | Pattern Branch/Version |
|---|---|
| TROJ.WIN32.TRX.XXPE50FFF028 TROJ.WIN32.TRX.XXPE50F13006 TROJ.WIN32.TRX.XXPE50FFF029 | In-the-cloud |
Web Reputation
| Detection/Policy/Rules | Pattern Branch/Version |
|---|---|
| URL Protection | In-the-cloud |
Solution Map - What should customers do?
| Product | Latest Version | Virus Pattern | Antispam Pattern | Network Pattern | Behavior Monitoring | Predictive Machine Learning | Web Reputation |
|---|---|---|---|---|---|---|---|
| Apex One | 2019 | Update Pattern via web console | N/A | N/A | Enable Behavior Monitoring and update pattern via web console | Enable Predictive Machine Learning | Enable Web Reputation Service and update pattern via web console |
| OfficeScan | XG | ||||||
| Worry-Free Business Security | Standard (10.0) | ||||||
| Advanced (10.0) | |||||||
| Deep Security | 12.0 | Update pattern via web console | N/A | ||||
| Deep Discovery Email Inspector | 3.5 | Update pattern via web console | Update pattern via web console | N/A | N/A | ||
| InterScan Messaging Security | 9.1 | ||||||
| InterScan Web Security | 6.5 | ||||||
| ScanMail for Exchange | 14.0 | ||||||
| Deep Discovery Inspector | 5.5 | N/A |
Recommendation
Make sure to always use the latest pattern available to detect the old and new variants of CLOP malware.
- Please refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.
- You may also check the article on Submitting suspicious or undetected virus for file analysis to Technical Support.
- For support assistance, please contact Trend Micro Technical Support.
Threat Report
Threat Encyclopedia: CLOP (search)
