top of page

Clop

Name

Category

Type

Targeted OS

Description

Information

Clop
Cl0p

Malware

Ransomware
Big Game Hunting

Windows & Linux

Clop is a ransomware which uses the .clop extension after having encrypted the victim's files. Another unique characteristic belonging with Clop is in the string: 'Dont Worry C|0P' included into the ransom notes. It is a variant of {{CryptoMix}} ransomware, but it additionally attempts to disable Windows Defender and to remove the Microsoft Security Essentials in order to avoid user space detection.

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/
https://www.bleepingcomputer.com/news/security/clop-ransomware-now-kills-windows-10-apps-and-3rd-party-tools/
https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104
https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware
https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e
https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824
https://blog.malwarebytes.com/malwarebytes-news/2021/02/clop-targets-execs-ransomware-tactics-get-another-new-twist/
https://unit42.paloaltonetworks.com/clop-ransomware/
https://www.cybereason.com/blog/cl0p-ransomware-gang-tries-to-topple-the-house-of-cards
https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/
https://flashpoint.io/blog/clop-ransomware-threat/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/win.clop

Alienvault OTX

https://otx.alienvault.com/browse/pulses?q=tag:Clop

Playbook

https://pan-unit42.github.io/playbook_viewer/?pb=clop-ransomware
https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/

CISA

Other Information

Mitre

Mitre Techniques

Mitre Techniques  Navigator Link

NIL

NIL

https://attack.mitre.org/software/S0611/

['T1059', 'T1486', 'T1140', 'T1083', 'T1562', 'T1490', 'T1112', 'T1106', 'T1135', 'T1027', 'T1057', 'T1489', 'T1518', 'T1553', 'T1218', 'T1614', 'T1497']

https://mitre-attack.github.io/attack-navigator//#layerURL=https%3A%2F%2Fattack.mitre.org%2Fsoftware%2FS0611%2FS0611-enterprise-layer.json

bottom of page