{
	"id": "d148a15f-16cf-4029-8f8f-1a6c090bbc65",
	"created_at": "2026-04-06T00:09:34.781415Z",
	"updated_at": "2026-04-10T03:21:15.615718Z",
	"deleted_at": null,
	"sha1_hash": "d517d9b7482fc24618f05bcf23a7e4a16f5cf190",
	"title": "Clop Ransomware Now Kills Windows 10 Apps and 3rd Party Tools",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 847217,
	"plain_text": "Clop Ransomware Now Kills Windows 10 Apps and 3rd Party Tools\r\nBy Lawrence Abrams\r\nPublished: 2020-01-03 · Archived: 2026-04-02 11:09:21 UTC\r\nThe Clop Ransomware continues to evolve with a new and integrated process killer that targets some interesting processes\r\nbelonging to Windows 10 apps, text editors, programming IDEs and languages, and office applications.\r\nWhen the Clop Ransomware started circulating in February 2019, it was just your normal garden variety CryptoMix\r\nransomware variant with the same features we have been seeing in this family since 2017.\r\nIn March 2019, though, the Clop Ransomware suddenly changed and began disabling services for Microsoft Exchange,\r\nMicrosoft SQL Server, MySQL, BackupExec, and other enterprise software.  The ransom note had also changed to indicate\r\nthat the attackers were targeting an entire network rather than individual PCs.\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-now-kills-windows-10-apps-and-3rd-party-tools/\r\nPage 1 of 5\n\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-now-kills-windows-10-apps-and-3rd-party-tools/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nClop Ransom Note\r\nIt was determined at that time, that a threat actor group known as TA505 had adopted the Clop Ransomware as their final\r\npayload of choice after compromising a network, similar to how Ryuk, BitPaymer, and DoppelPaymer were being used. \r\nThis adoption by the threat actors has most likely fueled the ransomware's development as the actors change it to fit their\r\nneeds when performing network-wide encryption.\r\nDevelopment continued in November 2019, when a new variant was released that attempted to disable Windows Defender\r\nrunning on local computers so that it would not be detected by future signature updates.\r\nThese changes also coincided with the threat actors continued targeting of companies in the Netherlands and France.\r\nJust last month, Maastricht University (UM) in the Netherlands was infected by the Clop Ransomware.\r\nClop now terminates 663 processes\r\nIn late December 2019 a new Clop variant was discovered by MalwareHunterTeam and reverse engineered by Vitali Kremez\r\nthat add improves their process termination feature; Clop now terminates 663 Windows processes before encrypting files.\r\nIt is not uncommon for ransomware to terminate processes before encrypting files as the attackers want to disable security\r\nsoftware and do not want any files to be open as it could prevent them from being encrypted.\r\nThis new variant takes it a step further by terminating a total of 663 processes, which include new Windows 10 apps,\r\npopular text editors, debuggers, programming languages, terminal programs, and programming IDE software.\r\nSome of the more interesting processes that are terminated include the Android Debug Bridge, Notepad++, Everything,\r\nTomcat, SnagIt, Bash, Visual Studio, Microsoft Office applications, programming languages such as Python and Ruby, the\r\nSecureCRT terminal application, the Windows calculator, and even the new Windows 10 Your Phone app.\r\nACROBAT.EXE\r\nADB.EXE\r\nCODE.EXE\r\nCALCULATOR.EXE\r\nCREATIVE CLOUD.EXE\r\nECLIPSE.EXE\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-now-kills-windows-10-apps-and-3rd-party-tools/\r\nPage 3 of 5\n\nEVERYTHING.EXE\r\nJENKINS.EXE\r\nMEMCACHED.EXE\r\nMICROSOFTEDGE.EXE\r\nNOTEPAD++.EXE\r\nPOWERPNT.EXE\r\nPYTHON.EXE\r\nQEMU-GA.EXE\r\nRUBY.EXE\r\nSECURECRT.EXE\r\nSKYPEAPP.EXE\r\nSNAGIT32.EXE\r\nTOMCAT7.EXE\r\nUEDIT32.EXE\r\nWINRAR.EXE\r\nWINWORD.EXE\r\nYOURPHONE.EXE\r\nIt is not known why some of these processes are terminated, especially ones like Calculator, Snagit, and SecureCRT, but its\r\npossible they want to encrypt configuration files used by some of these tools.\r\nA full list of the terminated processes can be found in Kremez's GitHub repository.\r\nIn the past, the process termination functionality was performed by a Windows batch file. By embedding this functionality\r\ninto the main executable, it further signifies active development by the group.\r\n\"This change signifies that the ransomware group decided to include the \"process killer\" in the main bot making it a more\r\nuniversal Swiss-army approach rather than relying on their external libraries like \"av_block\" for this purpose,\" Kremez told\r\nBleepingComputer in a conversation.\r\nIn addition to the new and large list of targeted processes, this Clop Ransomware variant also utilizes a new .Cl0p extension,\r\nrather than the .CIop or .Clop extensions used in previous versions.\r\nAs Clop continues to infect organizations, and reap large ransoms for doing so, we can expect to see its development to\r\ncontinue as the actors evolve their tactics.\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-now-kills-windows-10-apps-and-3rd-party-tools/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/clop-ransomware-now-kills-windows-10-apps-and-3rd-party-tools/\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-now-kills-windows-10-apps-and-3rd-party-tools/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/clop-ransomware-now-kills-windows-10-apps-and-3rd-party-tools/"
	],
	"report_names": [
		"clop-ransomware-now-kills-windows-10-apps-and-3rd-party-tools"
	],
	"threat_actors": [],
	"ts_created_at": 1775434174,
	"ts_updated_at": 1775791275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d517d9b7482fc24618f05bcf23a7e4a16f5cf190.pdf",
		"text": "https://archive.orkl.eu/d517d9b7482fc24618f05bcf23a7e4a16f5cf190.txt",
		"img": "https://archive.orkl.eu/d517d9b7482fc24618f05bcf23a7e4a16f5cf190.jpg"
	}
}