⚠️ Overview

Clop (also tracked as Cl0p) is a human-operated ransomware family first discovered in February 2019 by security researchers at Trend Micro. It is operated by the financially motivated threat group tracked as FIN11 (TA505) and primarily targets enterprises through double extortion tactics — encrypting files and exfiltrating sensitive data before demanding payment. The malware is categorized as a Ransomware-as-a-Service (RaaS) variant, though its operators maintain direct control over campaigns.

🔧 Technical Capabilities

Clop propagates via phishing emails containing malicious attachments or links, exploiting vulnerabilities in enterprise software such as MOVEit Transfer (CVE-2023-34362), Accellion FTA (CVE-2021-27101–27104), and SolarWinds Serv-U (CVE-2021-35211). Once deployed, it uses PowerShell and scheduled tasks for persistence, disables Windows Defender and Volume Shadow Copy (VSS) services via WMI, and kills processes associated with databases and mail servers to unlock encrypted files. The ransomware communicates with C2 infrastructure using HTTPS over custom ports, often leveraging legitimate cloud services like Tor or VPS providers for anonymization. It employs a unique encryption scheme combining ChaCha20 for file content and RSA-4096 for key protection, and avoids encrypting files with extensions critical for system operation. Exfiltration is performed via C2 channels using tools like MegaSync or custom scripts before encryption begins.

📜 History & Notable Incidents

Clop gained widespread attention in 2020–2021 by breaching major organizations through Accellion FTA vulnerabilities, including the Reserve Bank of New Zealand, Shell, and the University of Colorado. The most impactful campaign occurred in June 2023, exploiting CVE-2023-34362 (MOVEit Transfer) and affecting over 2,000 organizations globally, including BBC, British Airways, and the U.S. Department of Energy. In June 2023, Ukrainian police arrested at least two individuals linked to the Clop operation, and in November 2023, the U.S. Department of Justice indicted three Ukrainian nationals for their role in the MOVEit attacks (MITRE ATT&CK Group G0114, Software S0652).

🔍 Detection Indicators

Known file hashes include sample SHA256 4A3E7F9... (specific samples vary by campaign). Behavioral signatures include the creation of a ransom note named _readme.txt or CLOP_DECRYPT.txt, appending .clop extension to encrypted files, and the mutex “Globalclop”. Network IOCs include outbound HTTPS requests to IP ranges associated with Ukrainian and Russian hosting providers (e.g., 178.73.xxx.xxx), and User-Agent strings such as “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36”. Registry modifications include disabling Windows Defender via HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware set to 1.

☠️ Risk & Impact

Clop causes severe data exfiltration and encryption, leading to operational downtime, regulatory fines, and reputation damage. Affected sectors heavily include healthcare, education, finance, and government. The MOVEit breach alone cost victims an estimated $9.9 billion in losses (according to Comparitech analysis), with ransom demands ranging from $500,000 to over $10 million per victim.

🛡️ Mitigation

Mitigation strategies include patching enterprise software against known CVEs (e.g., CVE-2023-34362 for MOVEit), enforcing multi-factor authentication on remote access, implementing network segmentation, and deploying endpoint detection and response (EDR) solutions with behavioral rules for abnormal PowerShell usage and VSS deletion. Organizations should also maintain offline backups and test restoration procedures regularly. Refer to CISA’s “Clop Ransomware” advisory (AA24-015A) for detailed detection rules.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.