top of page
  • Writer's pictureFYEO

Ransomware Group Deep Dive: Clop

In the past several years, ransomware has emerged as an existential threat to businesses of all sizes and industries. According to a 2021 IDC study, 37 percent of companies worldwide have experienced a ransomware incident in the past 12 months.

To defend against ransomware attacks, organizations must be aware of the major threat actors in this space. This deep dive article will discuss what you need to know about one of the biggest ransomware gangs: the Clop ransomware group.

What is the Clop Ransomware Group?

Clop (sometimes written as "CL0P"), a ransomware group that has been linked to TA505 and FIN11 (a subset of TA505), is a financially motivated hacking group that is believed to be operating in Russian-speaking countries. The group's name is thought to originate from klop, the Russian word for "bedbug." Clop ransomware first appeared in February 2019 as a variant of the ransomware strain CryptoMix.

The Clop ransomware group is notable for its use of the "double extortion" strategy, in which hackers steal users' data and encrypt it. If the victim of a Clop ransomware attack refuses to pay the ransom, the hackers will not only refuse to restore access but may also publish their private data on the CL0P^_- LEAKS website, which is accessible on the Dark Web. The

Clop ransomware group also uses aggressive tactics to get victims to pay up, such as sending targeted messages to executives and other high-profile members of the organization.

Since its inception, the Clop ransomware group has targeted countless businesses in dozens of sectors, from healthcare, finance, and retail to education, manufacturing, and telecommunications. Below are just a few notable security incidents involving Clop ransomware:

In June 2021, Clop suffered a significant blow after the arrest of six people in Ukraine allegedly linked to the ransomware gang and the shutdown of associated IT infrastructure. However, the group's operations have yet to be completely wiped out. In April 2022, Clop was the fourth most active ransomware threat actor, with 21 reported victims.

How Does Clop Ransomware Work?

Like many other types of ransomware, Clop ransomware spreads largely through phishing email campaigns. These spoofed messages attempt to trick the user into downloading a malicious attachment by impersonating the identity of a trusted person or individual. This would result in a macro-enabled document containing a loader(Get2). And the loader allows them to download different tools(rat trojan) such as FlawedAmmy and SDBot. However, other attack vectors for Clop ransomware are possible, including infected websites and Remote Desktop Protocol (RDP) security flaws. It is also good to mention that they often use vulnerabilities such as Accellion File Transfer Appliance: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-2710.

The Clop ransomware executable may come signed and verified with a digital certificate to avoid detection by anti-malware programs. However, in some cases, security analysts have noted that this certificate has been revoked by the time of their analysis.

By itself, Clop ransomware cannot spread itself through a network. However, Clop ransomware may be distributed in conjunction with other malware, such as SDBOT that does enable these capabilities. In this case, the attackers use reconnaissance and lateral movement, silently moving to other systems from the point of origin.

Once it is launched, Clop ransomware attempts to terminate many different Windows services and processes, such as antivirus software and backup tools. The ransomware then begins the encryption process. Encrypted files are labeled with the ".clop" extension (variants such as ".CIop," ".CIIp", ".Cllp" and ".C_L_O_P" have also been observed).

After encryption is complete, the Clop ransomware leaves a "ransom note," i.e., a text file informing users of how to pay the ransom. In addition, victims are warned that attempts to thwart the attack could lead to irreversible data loss and instructed to communicate with the attackers via email.

How to Protect Yourself Against Clop Ransomware

Unfortunately, as of writing, no public tools are available to crack Clop ransomware and decrypt the encrypted files. Defending against Clop ransomware is, therefore, a matter of preventing it from entering your network in the first place.

Methods of protecting against Clop ransomware include:

  • Educating users on how to recognize suspected phishing emails.

  • Downloading applications and files only from official and approved websites.

  • Regularly applying software updates to patch any security vulnerabilities.

  • Installing antivirus and anti-malware software.

  • Creating backups of mission-critical data regularly.

  • Performing Dark Web threat monitoring to understand the hazards posed by ransomware.


Here's a summary of what you need to know about the Clop ransomware group:

  • Clop is one of the largest ransomware groups operating today and is thought to operate in Russian-speaking countries.

  • The Clop ransomware group uses "double extortion," with threats to publicize victims' data on the Dark Web if they don't pay the ransom.

  • Despite arrests in June 2021, Clop ransomware continues to spread to companies in a wide range of industries.

Clop and other ransomware gangs are a significant menace. Risks include financial harm, damaged reputation, and even the organization's closure if it cannot restore operations.

Businesses must be constantly vigilant about the risks posed by cybercrime. That's why FYEO's threat intelligence software maintains a database of more than 23 billion leaked credentials—one of the largest in the world. If your information has been published on the Dark Web, we'll send you an alert so that you can take action immediately. Get in touch with us today to request a demo of FYEO Domain Intelligence.


bottom of page