This ransomware strain is trying to disable Windows Defender and Malwarebytes
That is Clop CryptoMix - a type of ransom malicious code belonging to CryptoMix strain which has been raining all over the world in recent months. To successfully encrypt the victim's data, Clop CryptoMix is currently trying to disable Windows Defender as well as remove the standalone Anti-Ransomware programs of Microsoft Security Essentials and Malwarebytes.
Basically, Clop CryptoMix is a variant of CryptoMix Ransomware, uses the .Clop extension and owns a ransom note called CIopReadMe.txt (signature: "Dont Worry C | 0P"). You could call this ransom malicious code Clop.
Try to disable Windows Defender
According to analysis done by renowned security researcher Vitali Kremez, Clop has added the ability to silently execute a special technique, allowing it to disable many types of security software before code. Data of victims, including Windows Defender and some security software of Malwarebytes.
This is essentially a technique that helps combat file encryption detection behavior algorithms as well as blocking security software ransomware.
To disable Windows Defender, Clop will configure various Registry values to disable behavior monitoring, real-time protection, malicious code uploads to Microsoft, Tamper Protection, cloud security and detect anti-spyware software . of this program.
The good news is that if you have Tamper Protection turned on in Windows 10, these settings will be reset to their default settings and Windows Defender will still function normally without being disabled, and vice versa.
In addition to Windows Defender, Clop is also targeting older computers by uninstalling Microsoft Security Essentials. The fact that CryptoMix is run by admin privileges from the attackers, so it is possible to completely remove the software without any problems.
Try to uninstall Malwarebytes Anti-Ransomware
Security team MalwareHunterteam has discovered that besides Windows Defender, Clop is similarly targeting the standalone Malwarebytes Anti-Ransomware program.
When executed, the malicious code will attempt to disable Malwarebytes Anti-Ransomware programs with the following command:
C: Program FilesMalwareBytesAnti-Ransomwareunins000.exe / verysilent / suppressmsgboxes / norestart
On the other hand, CryptoMix is usually installed via Remote Desktop or penetrated the network, so targeting products that old enterprise workstations may be using allows this ransomware software to self because it works without any barriers to encryption of the entire network.
Neither Microsoft nor Malwarebytes have commented on the findings.
You should read it
- 7 kinds of ransomware you didn't expect
- List of the 3 most dangerous and scary Ransomware viruses
- LockBit Ransomware takes advantage of Microsoft Defender itself to infect
- Theory - Ransomware part 2
- STOP - Ransomware is the most active in the Internet but rarely talked about
- What is Ransomware Task Force (RTF)?
- Forecast 2021: The world of security will be devastated by ransomware '
- WannaCry remains one of the most dangerous global security threats
May be interested
- Google is determined to prevent bad apps before they reach users on the Play Storegoogle recently announced an ambitious cooperation plan with three major security companies at the same time to improve the ability to identify malicious applications.
- Microsoft warns of Windows BlueKeep attacksbluekeep is an unauthenticated remote code execution flaw that affects most commonly used microsoft products.
- Media giant Nikkei was cheated and lost $ 29 millionmedia giant nikkei suffered losses of up to $ 29 million.
- Blackmail Uber, LinkedIn, two hackers received a harsh sentencethe two men bowed to confession in the us federal court on wednesday october 30
- Microsoft: There is a big hacker organization trying to sabotage the 2020 Olympicsmicrosoft experts say the hacker group has targeted at least 16 us and international anti-doping and sports organizations.
- Discovering a large-scale APT attack into Vietnam, users need to quickly download the malicious toolthe department of information security recommends that users urgently download this malicious code-checking and removal tool on ais.gov.vn; vncert.vn was built and provided by the department.