1. Home
  2. Software
  3. Clop

Clop

Clop is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. Clop is a variant of the CryptoMix ransomware.[1][2][3]

ID: S0611
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 10 May 2021
Last Modified: 15 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1112 修改注册表

Clop can make modifications to Registry keys.[2]

Enterprise T1140 反混淆/解码文件或信息

Clop has used a simple XOR operation to decrypt strings.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Clop can use cmd.exe to help execute commands on the system.[2]

Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

Clop can uninstall or disable security products.[2]
Enterprise T1486 数据加密以实现影响

Clop can encrypt files using AES, RSA, and RC4 and will add the ".clop" extension to encrypted files.[1][3][2]

Enterprise T1083 文件和目录发现

Clop has searched folders and subfolders for files to encrypt.[1]
Enterprise T1489 服务停止

Clop can kill several processes and services related to backups and security solutions.[3][1]

Enterprise T1106 本机API

Clop has used built-in API functions such as WNetOpenEnumW(), WNetEnumResourceW(), WNetCloseEnum(), GetProcAddress(), and VirtualAlloc().[1][2]
Enterprise T1027 .002 混淆文件或信息: Software Packing

Clop has been packed to help avoid detection.[1][2]
Enterprise T1218 .007 系统二进制代理执行: Msiexec

Clop can use msiexec.exe to disable security tools on the system.[2]

Enterprise T1614 .001 系统位置发现: System Language Discovery

Clop has checked the keyboard language using the GetKeyboardLayout() function to avoid installation on Russian-language or other Commonwealth of Independent States-language machines; it will also check the GetTextCharset function.[1]

Enterprise T1490 系统恢复抑制

Clop can delete the shadow volumes with vssadmin Delete Shadows /all /quiet and can use bcdedit to disable recovery options.[1]
Enterprise T1135 网络共享发现

Clop can enumerate network shares.[1]
Enterprise T1497 .003 虚拟化/沙盒规避: Time Based Evasion

Clop has used the sleep command to avoid sandbox detection.[3]
Enterprise T1518 .001 软件发现: Security Software Discovery

Clop can search for processes with antivirus and antimalware product names.[1][2]
Enterprise T1057 进程发现

Clop can enumerate all processes on the victim's machine.[1]
Enterprise T1553 .002 颠覆信任控制: Code Signing

Clop can use code signing to evade detection.[3]

Groups That Use This Software

ID Name References
G0092 TA505

[3][2]

References

  1. Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.
  2. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.
  1. Santos, D. (2021, April 13). Threat Assessment: Clop Ransomware. Retrieved July 30, 2021.