TLP
TLP CLEAR
Author
Jordi Lobo
Summary
Clop ransomware is a variant of a previously known strain called CryptoMix. In 2019, Clop was delivered as the final payload of a phishing campaign associated with the financially motivated actor TA505. In 2020, Clop has evolved from a ransomware delivered through malicious spam to one being used in targeted campaigns against high-profile companies. Clop appends the .clop extension to the victim’s files. We have observed different variants using different extensions, such as .CIIp, .Cllp and .C_L_O_P. This ransomware includes various features to avoid detection. Observed Clop samples try to kill several processes and services related to backups and security solutions.
DATA
TIMELINE
CATEGORY
Ransomware
references
- https://unit42.paloaltonetworks.com/clop-ransomware/
- https://unit42.paloaltonetworks.com/atoms/clop-ransomware/
- https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/
- https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html
- https://www.pcrisk.com/removal-guides/14451-clop-ransomware