Clop Ransomware
News | 01/06/2020

Clop Ransomware Kills Windows Processes Before Encrypting Files

About: The infamous Clop Ransomware has returned with the capability of terminating all 663 Windows processes before encrypting the files on targeted system. Let us take an insight into the threat behavior of this ever-evolving crypto-virus.

| News | Clop Ransomware Kills Windows Processes Before Encrypting Files

The infamous Clop Ransomware has made a major comeback to the cyber-world. This new Clop strain is empowered with a brand-new & integrated process killer that is capable of targeting processes associated with Windows 10 Applications, text editors, programming languages & Microsoft office applications.

Clop Kills Windows Processes

Cyber-security researchers have found the latest Clop Ransomware variant attempting to stop & remove antivirus solutions & other native security tools from the impacted Windows machines. It terminates vital 663 Windows processes before encrypting the files & appending them with its malicious .clop extension.

Victims from around the world are looking for Clop Ransomware removal instructions & ways to prevent it from attacking their systems again.

Here’s what the cyber-security analysts have known about Clop so far.

Brief History of Clop Ransomware

Clop Ransomware made its first appearance in the cyber-world on 10th February 2019. It seemed an ordinary Cryptomix Ransomware Variant that showcased all the prominent features of Cryptomix. It targeted images, audio files, video files, text files & databases and encrypted them with highly-complex Encryption Algorithm. The encrypted files were appended with .clop extension & made inaccessible to the users.

Clop - Targeted Files

However, cyber-security analysts observed a sudden change in Clop Ransomware behavior in March 2019. It was seen disabling services for various applications including BackupExec, MySQL, Microsoft SQL Server & Microsoft Exchange. It began to target entire networks rather than infecting individual Windows-OS based machines.

The Attack of Clop Ransomware in March 2019 confirmed that it was being employed by a group of hackers known as TA505 as the final payload after a network is compromised. Other crypto-viruses that were prevalent during this time were Ryuk Ransomware, BitPaymer & DoppelPaymer.

The adoption of Clop by hacker’s group TA505 paved a way to the development of nasty Clop Ransomware. They customized Clop to perform network-wide encryption.

Clop Tried Disabling Windows Defender & other Antivirus Solutions

November 2019 observed the appearance of new variant of devious Clop Ransomware. The new Clop variant attempted to disable Windows Defender & removed a myriad of Microsoft Security Essentials and antivirus programs so as to avoid detection by the future security updates.

It would employ a small program & configure various Registry values to render security tools & Windows Defender inoperative before encrypting the files on infected Windows machine. It would disable Tamper Protection, cloud detections & real-time protection.

Russian-speaking hacker group TA505 was suspected to be the threat actor behind the attacks.

The most recent attack of Clop was reported last month in Maastricht University in the Netherlands.

Clop Attacks Till date

The Brand New Clop Strain Terminates 663 Vital Windows Processes

A brand-new Clop Variant was discovered by a team of cyber-security analysts in late December 2019. It possesses the capability of terminating 663 Windows processes before it can encrypt files.

While it is common for the Ransomware programs to terminate vital processes, the Clop Ransomware disables security software as it could hinder the process of encryption.

And now, Clop has taken the process of encryption a step ahead! It terminates a total of 663 Windows Processes on the infected PC before proceeding with Encryption of targeted files.

These processes include new Windows 10 Applications, popular Text Editors, debuggers & programming languages.

Other processes that new Clop Variant is capable of terminating include:

  • Android Debug Bridge
  • Notepad++
  • Everything
  • Tomcat
  • Visual Studio
  • Microsoft Office Applications.
  • Programming Languages such as Python & Ruby
  • The Windows Calculator

While the reason behind encryption of processes such as Calculator & Snagit is still unknown, it is suspected that attackers intended to encrypt the configuration files used by these processes.

Besides the introduction of a new process killer feature, this Clop Ransomware variant also utilizes a new .Clop extension, rather than the extensions used in its previous versions.

Though Clop is infecting organizations & minting enormous illicit revenue, it is also expected to receive massive development as the hackers behind it are continuously evolving their strategies.

Hits: 176

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Rajasthan 302033
Phone: +91 9799661866