Clop ransomware now shuts down 663 processes in Windows upon infection

The Clop ransomware has been updated to allow the ransomware to shut down a greater number of Windows 10 processes from now on. The malware now stops at least 663 Windows processes before encrypting files.

This was discovered by malware researcher Vitali Kremez, who has been investigating the specific Clop ransomware for some time. Kremez was also the analyst who stated that it was Russian hackers who infected Maastricht University on Christmas Eve, although there is little evidence for this. According to Kremez, the ransomware has evolved in recent weeks, proving that it is still actively being tracked by its creators.

Kremez says Clop now shuts down 663 processes within Windows before starting encryption. That is striking. Most ransomware variants do shut down some running processes such as Office so that those files can be encrypted, but there are rarely that many. These include commonly used word processors, terminal programs, programming languages, and even the Windows calculator. The program also closes the Android Debug Bridge or programming tools such as Notepad++ if installed, as well as some Microsoft programs such as Visual Studio and the Your Phone software.

It is not clear whether the attackers increased the number of processes to increase their impact and block such programs, or if there is some other reason behind it. In the meantime, the makers have put the encryption process in the executable, instead of in a Windows batch file. This would make the ransomware easier to deploy on different systems.