A new version of the Clop ransomware has resulted in a few changes, the most notable being a new list of processes to kill. Prior to this version, evolutions to the ransomware included the addition of terminating processes related to enterprise software (Microsoft Exchange, SQL Server, etc) and disabling Windows Defender. Along with the aforementioned enterprise software, the most recent update to Clop ransomware includes an extensive process termination list that includes Windows 10 apps, popular text editors, debuggers, programming languages, terminal programs, and programming IDE software. The researchers note that the reasoning behind cancelling some of these services is not fully understood since they wouldn’t have associated user-created files to encrypt, but it is possible that the attackers want to ensure configuration files for these applications are encrypted. Related to the process termination, another change is that this functionality is now included in the main executable whereas before it was performed by a separate batch script. The last change is the use of a new extension appended to encrypted files, “.Cl0p,” replacing the previously used extensions “.CIop” (capital “I”) and “.Clop” (lower case “L”).