S0611 Clop
Clop is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. Clop is a variant of the CryptoMix ransomware.123
| Item | Value |
|---|---|
| ID | S0611 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 10 May 2021 |
| Last Modified | 15 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Clop can use cmd.exe to help execute commands on the system.2 |
| enterprise | T1486 | Data Encrypted for Impact | Clop can encrypt files using AES, RSA, and RC4 and will add the “.clop” extension to encrypted files.132 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Clop has used a simple XOR operation to decrypt strings.1 |
| enterprise | T1083 | File and Directory Discovery | Clop has searched folders and subfolders for files to encrypt.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Clop can uninstall or disable security products.2 |
| enterprise | T1490 | Inhibit System Recovery | Clop can delete the shadow volumes with vssadmin Delete Shadows /all /quiet and can use bcdedit to disable recovery options.1 |
| enterprise | T1112 | Modify Registry | Clop can make modifications to Registry keys.2 |
| enterprise | T1106 | Native API | Clop has used built-in API functions such as WNetOpenEnumW(), WNetEnumResourceW(), WNetCloseEnum(), GetProcAddress(), and VirtualAlloc().12 |
| enterprise | T1135 | Network Share Discovery | Clop can enumerate network shares.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | Clop has been packed to help avoid detection.12 |
| enterprise | T1057 | Process Discovery | Clop can enumerate all processes on the victim’s machine.1 |
| enterprise | T1489 | Service Stop | Clop can kill several processes and services related to backups and security solutions.31 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Clop can search for processes with antivirus and antimalware product names.12 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | Clop can use code signing to evade detection.3 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.007 | Msiexec | Clop can use msiexec.exe to disable security tools on the system.2 |
| enterprise | T1614 | System Location Discovery | - |
| enterprise | T1614.001 | System Language Discovery | Clop has checked the keyboard language using the GetKeyboardLayout() function to avoid installation on Russian-language or other Commonwealth of Independent States-language machines; it will also check the GetTextCharset function.1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.003 | Time Based Evasion | Clop has used the sleep command to avoid sandbox detection.3 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0092 | TA505 | 32 |