Skip to content
Detecteam
  • CompanyExpand
    • Founders Story
    • The Team
  • ProductExpand
    • About Us
  • SolutionsExpand
    • Use Cases
  • ResourcesExpand
    • Detecteam Blogs
    • Contact Us
Twitter Linkedin
Detecteam
Blog · Scenario

Clop – Ransomware by TA505

Avatar photoByDetecteam 2023-06-222023-06-23

TLP

TLP CLEAR

Author

Jordi Lobo

Summary

Clop ransomware is a variant of a previously known strain called CryptoMix. In 2019, Clop was delivered as the final payload of a phishing campaign associated with the financially motivated actor TA505. In 2020, Clop has evolved from a ransomware delivered through malicious spam to one being used in targeted campaigns against high-profile companies. Clop appends the .clop extension to the victim’s files. We have observed different variants using different extensions, such as .CIIp, .Cllp and .C_L_O_P. This ransomware includes various features to avoid detection. Observed Clop samples try to kill several processes and services related to backups and security solutions.

DATA

cslogs-1Download

TIMELINE

CATEGORY

Ransomware

references

  • https://unit42.paloaltonetworks.com/clop-ransomware/
  • https://unit42.paloaltonetworks.com/atoms/clop-ransomware/
  • https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter
  • https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/
  • https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html
  • https://www.pcrisk.com/removal-guides/14451-clop-ransomware

MITRE ATT&CK

Post Tags: #T1041 - Exfiltration Over C2 Channel#T1057 - Process Discovery#T1059.003 - Windows Command Shell#T1083 - File and Directory Discovery#T1086 - Data Encrypted for Impact#T1489 - Service Stop#T1490 - Inhibit System Recovery#T1553.002 - Code Signing#T1566.001 - Spearphishing Attachment
Avatar photo
Detecteam
X

Detecteam is transforming cybersecurity detection from static rule-writing to autonomous, continuous validation. Our REFLEX platform automates the detection lifecycle—building, testing, validating and deploying detections in minutes, not months. We help enterprises maximize ROI on existing tools, close high-risk detection gaps faster, and scale security outcomes without scaling headcount. This is the future of detection-as-code, and we’re leading it.

CONTACT US

Detecteam Inc.
300 Lenora Street PMB 659
Seattle, WA 98121 USA
+1 (650) 542-0831
sales@detecteam.com

  • Privacy Policy

SOCIAL MEDIA

Twitter Linkedin
OUR NEWSLETTER

Check your inbox or spam to confirm your subscription.

© 2025 Detecteam Inc. All Rights Reserved.

  • Company
    • Founders Story
    • The Team
  • Product
    • About Us
  • Solutions
    • Use Cases
  • Resources
    • Detecteam Blogs
    • Contact Us
Search