Skip to content

S0611 Clop

Clop is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. Clop is a variant of the CryptoMix ransomware.123

Item Value
ID S0611
Associated Names
Version 1.0
Created 10 May 2021
Last Modified 15 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Clop can use cmd.exe to help execute commands on the system.2
enterprise T1486 Data Encrypted for Impact Clop can encrypt files using AES, RSA, and RC4 and will add the “.clop” extension to encrypted files.132
enterprise T1140 Deobfuscate/Decode Files or Information Clop has used a simple XOR operation to decrypt strings.1
enterprise T1083 File and Directory Discovery Clop has searched folders and subfolders for files to encrypt.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Clop can uninstall or disable security products.2
enterprise T1490 Inhibit System Recovery Clop can delete the shadow volumes with vssadmin Delete Shadows /all /quiet and can use bcdedit to disable recovery options.1
enterprise T1112 Modify Registry Clop can make modifications to Registry keys.2
enterprise T1106 Native API Clop has used built-in API functions such as WNetOpenEnumW(), WNetEnumResourceW(), WNetCloseEnum(), GetProcAddress(), and VirtualAlloc().12
enterprise T1135 Network Share Discovery Clop can enumerate network shares.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing Clop has been packed to help avoid detection.12
enterprise T1057 Process Discovery Clop can enumerate all processes on the victim’s machine.1
enterprise T1489 Service Stop Clop can kill several processes and services related to backups and security solutions.31
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Clop can search for processes with antivirus and antimalware product names.12
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Clop can use code signing to evade detection.3
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.007 Msiexec Clop can use msiexec.exe to disable security tools on the system.2
enterprise T1614 System Location Discovery -
enterprise T1614.001 System Language Discovery Clop has checked the keyboard language using the GetKeyboardLayout() function to avoid installation on Russian-language or other Commonwealth of Independent States-language machines; it will also check the GetTextCharset function.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.003 Time Based Evasion Clop has used the sleep command to avoid sandbox detection.3

Groups That Use This Software

ID Name References
G0092 TA505 32