clop
Group profile
The ransomware group known as Cl0p is a variant of a previously known strain dubbed CryptoMix. It is worth noting that this variant was delivered as the final payload in a phishing campaign in 2019 and was exclusively financially motivated, with attacks carried out by the threat actors TA505.<br> <br> At that time, malicious actors sent phishing emails that led to a macro-enabled document that would drop a loader called 'Get2.' After gaining an initial foothold in the system or infrastructure, the actors began using reconnaissance, lateral movement, and exfiltration techniques to prepare for the deployment of the ransomware.<br> <br> After the execution of the ransomware, Cl0p appends the extension '.clop' to the end of files, or other types of extensions such as '.CIIp, .Cllp, and .C_L_O_P,' as well as different versions of the ransom note that were also observed after encryption. Depending on the variant, any of the ransom text files were created with names like 'ClopReadMe.txt, README_README.txt, Cl0pReadMe.txt, and READ_ME_!!!.TXT.'<br> <br> The Clop operation has shifted from delivering its final payload via phishing and has begun initiating attacks using vulnerabilities that resulted in the exploitation and infection of victims' infrastructures.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs
MITRE ATT&CK TTPs
Initial Access
T1078Valid accounts
Have been reported to make use of compromised accounts to access victims via RDP.
T1190Exploit public-facing application
Arrives via any the following exploits: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104, CVE-2021-35211.
T1566.001Phishing: Spear-phishing attachment
Arrives via phishing emails that have Get2 Loader, which will download the SDBot and FlawedAmmy RAT.
Execution
T1059Command and scripting interpreter
Uses various scripting interpreters like PowerShell, Windows command shell and Visual Basic (macro in documents).
T1106Native API
Uses native API to execute various commands/routines.
T1204User execution
User execution is needed to carry out the payload from the spear-phishing link/attachments.
Persistence
Privilege Escalation
T1068Exploitation for privilege escalation
Makes use of CVE-2021-27102 to escalate privilege.
T1484.001Domain Policy modification: Group Policy modification
Uses stolen credentials to access the AD servers to gain administrator privilege and attack other machines within the network.
T1574Hijack execution flow
UAC bypass.
Defense Evasion
T1036.001Masquerading: invalid code signature
Makes use of the following digital signatures: DVERI, FADO, TOV.
T1055.001Process injection: DLL injection
To deliver other tools and payload, a tool has the capability to inject its downloaded payload.
T1070.001Indicator removal on host: clear Windows event logs
Clears the Event Viewer log files.
T1070.004Indicator removal on host: file deletion
Deletes traces of itself in the infected machine.
T1140Deobfuscate/Decode files or information
The tool used for exfiltration has a part of its malware trace removal, and it drops a base-64 encoded file.
T1202Indirect command execution
A startup script runs just before the system gets to the login screen via startup registry.
T1562.001Impair defenses: disable or modify tools
Disables security-related software by terminating them.
Discovery
T1012Query registry
Queries certain registries as part of its routine.
T1018Remote system discovery
Makes use of tools for network scans.
T1057Process discovery
Discovers certain processes for process termination.
T1063Security software discovery
Discovers security software for reconnaissance and termination.
T1082System information discovery
Identifies keyboard layout and other system information.
T1083File and directory discovery
Searches for specific files and the directory related to its encryption.
Lateral Movement
Collection
T1005Data from local system
Might make use of RDP to manually search for valuable files or information.
Exfiltration
T1567Exfiltration over web service
DEWMODE web shell extracts list of available files from a MySQL database on the FTA and lists these files and corresponding their metadata. These will then be downloaded using the DEWMODE web shell.
Command and Control
T1071Application Layer Protocol
Uses http/s to communicate to its C&C server.
Recent victims
showing 50 of 1,254| Date | Website / victim | Sector | Country |
|---|---|---|---|
| 2026-05-01 |  INJURYLAWYERS.COMINJURYLAWYERS.COM | Business Services | US |
| 2026-05-01 |  INTEGRALIFE.COMINTEGRALIFE.COM | Healthcare | US |
| 2026-03-30 |  AIGHEALTHCARE.INAIGHEALTHCARE.IN | Healthcare | IN |
| 2026-03-30 |  CLOUD.CLEARWAYGROUP.COMCLOUD.CLEARWAYGROUP.COM | Technology | |
| 2026-02-14 |  DAD.CO.THDAD.CO.TH | Technology | TH |
| 2026-02-14 |  THEMORTGAGEFIRM.COMTHEMORTGAGEFIRM.COM | Financial Services | US |
| 2026-02-14 |  FISHWINDOWCLEANING.COMFISHWINDOWCLEANING.COM | Business Services | US |
| 2026-02-14 |  SOLUTIONSINSAFETY.COMSOLUTIONSINSAFETY.COM | Business Services | |
| 2026-02-14 |  BOYDEN.COMBOYDEN.COM | Business Services | US |
| 2026-02-14 |  CFDT.FRCFDT.FR | Public Sector | FR |
| 2026-02-14 |  SPOHNASSOCIATES.COMSPOHNASSOCIATES.COM | Technology | US |
| 2026-02-14 |  GARNERGROUP.NETGARNERGROUP.NET | Not Found | |
| 2026-02-14 |  THEPERPETUAL.COMTHEPERPETUAL.COM | Technology | US |
| 2026-02-14 |  AIGBUSINESS.COMAIGBUSINESS.COM | Financial Services | |
| 2026-02-14 |  HYDEPARKUMC.ORGHYDEPARKUMC.ORG | Education | US |
| 2026-02-14 |  GIACARE.COMGIACARE.COM | Healthcare | US |
| 2026-02-14 |  GIASPACE.COMGIASPACE.COM | Technology | US |
| 2026-02-14 |  ONESUPPORT.COMONESUPPORT.COM | Technology | US |
| 2026-02-14 |  HUDSONSUSTAINABLE.COMHUDSONSUSTAINABLE.COM | Energy | US |
| 2026-02-14 |  GOKALLIT.COMGOKALLIT.COM | Technology | |
| 2026-02-14 |  CHEHARDY.COMCHEHARDY.COM | Not Found | US |
| 2026-02-14 |  RBDCONSTRUCTION.COMRBDCONSTRUCTION.COM | Construction | US |
| 2026-02-14 |  BROADREACHRETAIL.COMBROADREACHRETAIL.COM | Consumer Services | US |
| 2026-02-14 |  BE09.FRBE09.FR | Not Found | FR |
| 2026-02-14 |  SMITHIPSERVICES.COMSMITHIPSERVICES.COM | Business Services | |
| 2026-02-14 |  PROACTIVEMEDICAL.COMPROACTIVEMEDICAL.COM | Healthcare | US |
| 2026-02-14 |  ITARCHITECHS.COMITARCHITECHS.COM | Technology | US |
| 2026-02-14 |  HUDSONEXECUTIVE.COMHUDSONEXECUTIVE.COM | Financial Services | US |
| 2026-02-14 |  ANSTECHINC.COMANSTECHINC.COM | Technology | US |
| 2026-02-07 |  MNKASSOCIATES.COMMNKASSOCIATES.COM | Not Found | |
| 2026-02-07 |  VIPPLLC.COMVIPPLLC.COM | Not Found | |
| 2026-02-07 |  TRJLTD.CO.UKTRJLTD.CO.UK | Not Found | UK |
| 2026-02-07 |  STRATEGICOBJECTIVES.COMSTRATEGICOBJECTIVES.COM | Business Services | CA |
| 2026-02-07 |  IDEALWELDERS.COMIDEALWELDERS.COM | Manufacturing | CA |
| 2026-02-07 |  CROWDEDISLAND.COMCROWDEDISLAND.COM | Not Found | |
| 2026-02-07 |  DUKOSI.COMDUKOSI.COM | Technology | GB |
| 2026-02-07 |  CONWEST.COMCONWEST.COM | Not Found | CA |
| 2026-02-07 |  NGATTORNEYS.COMNGATTORNEYS.COM | Not Found | |
| 2026-02-07 |  LABINF.ITLABINF.IT | Technology | IT |
| 2026-02-07 |  AUGUSTEA.COMAUGUSTEA.COM | Transportation/Logistics | IT |
| 2026-02-07 |  MEDIAWORLD.COM.HKMEDIAWORLD.COM.HK | Technology | HK |
| 2026-02-07 |  WARDHAVENCAPITAL.COMWARDHAVENCAPITAL.COM | Financial Services | |
| 2026-02-07 |  LONGHORNORGANICS.COMLONGHORNORGANICS.COM | Agriculture and Food Production | US |
| 2026-02-07 |  DCSNORWAY.COMDCSNORWAY.COM | Not Found | NO |
| 2026-02-07 |  SHACKELFORD.LAWSHACKELFORD.LAW | Business Services | |
| 2026-02-07 |  SERVE-CLOUD.COMSERVE-CLOUD.COM | Technology | |
| 2026-02-07 |  MARK-FINN.CO.UKMARK-FINN.CO.UK | Construction | UK |
| 2026-02-07 |  EMEG.CO.UKEMEG.CO.UK | Business Services | UK |
| 2026-02-07 |  LOGICALMICRO.COMLOGICALMICRO.COM | Technology | GB |
| 2026-02-07 | H HODERO HOLDINGS LTD | Not Found | BM |