This report is an overview of the Clop ransomware. Discovered in February of 2019, a recent increase in Clop attacks has been noticed by cybersecurity researchers. Notably, in March of 2021, the actor behind Clop attacked the well-known security firm Qualys, with the intention of leaking customer data. Palo Alto's Unit42 associates Clop ransomware with the group TA505 (Hive0065).
Clop infections can be detected through the “.clop” file extension that is added to files, though variants may include “.CIIp”, “.Cllp”, “.C_L_O_P” and similar, along with an expected ransomware note. Like many ransomware campaigns, Clop is often delivered through phishing campaigns delivering documents with malicious macros. These macros are used to drop the “Get2” loader on the victim machine, which is used to download additional payloads/tools, including SDBot. Whichever tool is downloaded in the second stage, it is used to ultimately deliver and execute Clop.
Some notable techniques of the ransomware include:
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.