Security researcher Vitali Kremez discovered a new malware dubbed Clop ransomware that targets Windows systems and attempts to disable security products running on the infected systems.
The malicious code executes a small program, just before starting the encryption process, to disable security tools running on the infected systems that could detect its operations.
The malicious code also attempted to disable the Windows Defender by configuring the registry values associated with this defense feature.
“In order to successfully encrypt a victim’s data, the Clop CryptoMix Ransomware is now attempting to disable Windows Defender as well as remove the Microsoft Security Essentials and Malwarebytes’ standalone Anti-Ransomware programs.” reads the post published by BleepingComputer.
“Clop is a variant of the CryptoMix Ransomware, that uses the Clop extension and signs its CIopReadMe.txt ransom note with “Dont Worry C|0P”. Due to this, the ransomware has become known as Clop Ransomware”
Clop is a variant of the CryptoMix ransomware, Kremez noticed that it also attempts to disable Malwarebytes’ standalone Anti-Rasomware product.
In machines with Tamper Protection enabled in Windows 10, the registry values will be reset back to their default configuration, and Windows Defender will be enabled again.
The malicious code also targets older computers by uninstalling Microsoft Security Essentials.
Experts noticed that the TA505 cybercrime group has been using the CryptoMix ransomware after compromising a network in similar attacks as Ryuk, BitPaymer, and DoppelPaymer.
According to the experts, the Clop ransomware was involved in a series of recent attacks includes the ones that hit the Hospital Center University De Rouen and the University of Antwerp in Belgium.
“According to an internal source contacted by 76actu , many files (Excel, Word, .doc …) are well and truly locked by hackers. These are encrypted under the suffix .clop, and spontaneously generate a text message that we could consult.” reported BleepingComputer.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – ransomware, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]
Nation-state actor UAT4356 has been exploiting two zero-days in ASA and FTD firewalls since November…
A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute…
The Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned four Iranian nationals for their…
A cyber attack on Leicester City Council resulted in certain street lights remaining illuminated all…
The National Police Agency in South Korea warns that North Korea-linked threat actors are targeting…
The U.S. Department of State imposed visa restrictions on 13 individuals allegedly linked to the…
This website uses cookies.