Clop Ransomware attempts to disable Windows Defender and Malwarebytes

Experts discovered a new malware dubbed Clop ransomware that attempts to remove Malwarebytes and other security products.

Security researcher Vitali Kremez discovered a new malware dubbed Clop ransomware that targets Windows systems and attempts to disable security products running on the infected systems.

The malicious code executes a small program, just before starting the encryption process, to disable security tools running on the infected systems that could detect its operations.

The malicious code also attempted to disable the Windows Defender by configuring the registry values associated with this defense feature.

“In order to successfully encrypt a victim’s data, the Clop CryptoMix Ransomware is now attempting to disable Windows Defender as well as remove the Microsoft Security Essentials and Malwarebytes’ standalone Anti-Ransomware programs.” reads the post published by BleepingComputer.

“Clop is a variant of the CryptoMix Ransomware, that uses the Clop extension and signs its CIopReadMe.txt ransom note with “Dont Worry C|0P”.  Due to this, the ransomware has become known as Clop Ransomware”

Clop is a variant of the CryptoMix ransomware, Kremez noticed that it also attempts to disable Malwarebytes’ standalone Anti-Rasomware product.

In machines with Tamper Protection enabled in Windows 10, the registry values will be reset back to their default configuration, and Windows Defender will be enabled again.

The malicious code also targets older computers by uninstalling Microsoft Security Essentials.

Experts noticed that the TA505 cybercrime group has been using the CryptoMix ransomware after compromising a network in similar attacks as Ryuk, BitPaymer, and DoppelPaymer.

According to the experts, the Clop ransomware was involved in a series of recent attacks includes the ones that hit the Hospital Center University De Rouen and the University of Antwerp in Belgium.

“According to an internal source contacted by 76actu , many files (Excel, Word, .doc …) are well and truly locked by hackers. These are encrypted under the suffix .clop, and spontaneously generate a text message that we could consult.” reported BleepingComputer.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – ransomware, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]