This ransomware strain is trying to disable Windows Defender and Malwarebytes
That is Clop CryptoMix.
That is Clop CryptoMix - a type of ransom malicious code belonging to CryptoMix strain which has been raining all over the world in recent months. To successfully encrypt the victim's data, Clop CryptoMix is currently trying to disable Windows Defender as well as remove the standalone Anti-Ransomware programs of Microsoft Security Essentials and Malwarebytes.
Basically, Clop CryptoMix is a variant of CryptoMix Ransomware, uses the .Clop extension and owns a ransom note called CIopReadMe.txt (signature: "Dont Worry C | 0P"). You could call this ransom malicious code Clop.
Try to disable Windows Defender
According to analysis done by renowned security researcher Vitali Kremez, Clop has added the ability to silently execute a special technique, allowing it to disable many types of security software before code. Data of victims, including Windows Defender and some security software of Malwarebytes.
This is essentially a technique that helps combat file encryption detection behavior algorithms as well as blocking security software ransomware.
To disable Windows Defender, Clop will configure various Registry values to disable behavior monitoring, real-time protection, malicious code uploads to Microsoft, Tamper Protection, cloud security and detect anti-spyware software . of this program.
The good news is that if you have Tamper Protection turned on in Windows 10, these settings will be reset to their default settings and Windows Defender will still function normally without being disabled, and vice versa.
In addition to Windows Defender, Clop is also targeting older computers by uninstalling Microsoft Security Essentials. The fact that CryptoMix is run by admin privileges from the attackers, so it is possible to completely remove the software without any problems.
Try to uninstall Malwarebytes Anti-Ransomware
Security team MalwareHunterteam has discovered that besides Windows Defender, Clop is similarly targeting the standalone Malwarebytes Anti-Ransomware program.
When executed, the malicious code will attempt to disable Malwarebytes Anti-Ransomware programs with the following command:
C: Program FilesMalwareBytesAnti-Ransomwareunins000.exe / verysilent / suppressmsgboxes / norestart
On the other hand, CryptoMix is usually installed via Remote Desktop or penetrated the network, so targeting products that old enterprise workstations may be using allows this ransomware software to self because it works without any barriers to encryption of the entire network.
Neither Microsoft nor Malwarebytes have commented on the findings.
You should read it
- Matrix Ransomware is back under the distribution of RIG Exploit Kit
- 5 gangs that create the world's most dangerous ransomware
- 7 kinds of ransomware you didn't expect
- List of the 3 most dangerous and scary Ransomware viruses
- LockBit Ransomware takes advantage of Microsoft Defender itself to infect
- Theory - Ransomware part 2
- STOP - Ransomware is the most active in the Internet but rarely talked about
- What is Ransomware Task Force (RTF)?
- Forecast 2021: The world of security will be devastated by ransomware '
- WannaCry remains one of the most dangerous global security threats
- [Infographic] 7 effective ways to protect businesses from Ransomware
- Ako ransomware is raging all over the world, what do you know about this ransomware?
Maybe you are interested
5 applications to help track working time 50+ awesome blue powerpoint wallpapers Facebook Messenger now has a COVID-19 information hub Buy mobile hard drive, SSD hard drive where genuine, cheap? Falling money from the sky is real: A $ 700 billion gold meteorite is flying 750 million kilometers from Earth. Worm can infect Windows system via PDF vulnerability