Clop Ransomware attempts to disable Windows Defender and Malwarebytes

December 2, 2019  By Pierluigi Paganini


Experts discovered a new malware dubbed Clop ransomware that attempts to remove Malwarebytes and other security products.

Security researcher Vitali Kremez discovered a new malware dubbed Clop ransomware that targets Windows systems and attempts to disable security products running on the infected systems.

The malicious code executes a small program, just before starting the encryption process, to disable security tools running on the infected systems that could detect its operations.

The malicious code also attempted to disable the Windows Defender by configuring the registry values associated with this defense feature.

“In order to successfully encrypt a victim’s data, the Clop CryptoMix Ransomware is now attempting to disable Windows Defender as well as remove the Microsoft Security Essentials and Malwarebytes’ standalone Anti-Ransomware programs.” reads the post published by BleepingComputer.

“Clop is a variant of the CryptoMix Ransomware, that uses the Clop extension and signs its CIopReadMe.txt ransom note with “Dont Worry C|0P”.  Due to this, the ransomware has become known as Clop Ransomware”

Clop is a variant of the CryptoMix ransomware, Kremez noticed that it also attempts to disable Malwarebytes’ standalone Anti-Rasomware product.

clop ransomware

In machines with Tamper Protection enabled in Windows 10, the registry values will be reset back to their default configuration, and Windows Defender will be enabled again.

The malicious code also targets older computers by uninstalling Microsoft Security Essentials.

Experts noticed that the TA505 cybercrime group has been using the CryptoMix ransomware after compromising a network in similar attacks as Ryuk, BitPaymer, and DoppelPaymer.

According to the experts, the Clop ransomware was involved in a series of recent attacks includes the ones that hit the Hospital Center University De Rouen and the University of Antwerp in Belgium.

“According to an internal source contacted by 76actu , many files (Excel, Word, .doc) are well and truly locked by hackers. These are encrypted under the suffix .clop, and spontaneously generate a text message that we could consult.” reported BleepingComputer.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – ransomware, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

TrueDialog database leaked online tens of millions of SMS text messages

 Millions of SMS messages have been leaked by a database run by TrueDialog, a business SMS provider for businesses and higher...