Skip to main content

Clop ransomware looks to target Windows 10 apps

(Image credit: Shutterstock)

A new variant of the Clop ransomware which targets Windows 10 apps such as text editors and office applications as well as other processes has been discovered in the wild.

When the Clop ransomware first appeared in February of 2019, it was just a CryptoMix ransomware variant that had many features seen in other types of malware. However, in March, the ransomware changed suddenly and began disabling services for Microsoft Exchange, Microsoft SQL Server, MYSQL and other enterprise software.

The ransom note left by Clop also changed to indicate that the attackers behind it had begun to target entire networks as opposed to individual machines. At that time, it was also determined that the threat actor group called TA500 had adopted the Clop ransomware as its preferred final payload after compromising a network.

Then only a few months ago in November, a new variant of the ransomware was released that tried to disable Windows Defender from running on local machines so that it could remain undetected after future signature updates.

Clop ransomware evolved

The latest evolution of the Clop ransomware was discovered in December of last year by MalwareHunterTeam and reverse engineered by ethical hacker Vitali Kremez.

The ransomware now sports an improved process termination feature that terminates 663 Windows processes before encrypting files. Cybercriminals often have their ransomware terminate processes before encrypting files in an effort to disable security software but the latest variant of Clop takes things a step further.

The Clop ransomware now terminates even more processes including new Windows 10 apps, popular text editors, debuggers, programming languages, terminal programs and programming IDE software. Other processes that are terminated include Microsoft Office Applications, the Windows calculator, Notepad++ and even the new Windows 10 Your Phone app. For those interested in learning more, a full list of the terminated processes is available in Kremez's GitHub repository.

Now that Clop has begun to successfully target enterprises' entire networks, expect its development to continue with new variants better designed to bypass user's security software.

Via BleepingComputer