[S2W LAB] Analysis of Clop Ransomware suspiciously related to the Recent Incident (English) Archived: 2026-04-05 18:44:14 UTC Author: TALON (BLKSMTH, HOTSAUCE) The ransomware Clop has hit the network of conglomerate and retail giant in South Korea which suspended nearly half of stores due to its attack. We have analyzed the ransomware related to the incident and the summary of the analysis can be seen below. A new variant of the Clop ransomware seems to generate separate key files and store encryption keys for each encrypted files as opposed to the previous behavior of changing the file content and extension and saving the encryption key at the final stage Key File Extension : .cllp Key File Header : Cllp^_- Ransom Note: We have identified that the contact email used in ransom note is identical to the email used by Clop Ransomware on the Dark Web where they leak corporate data when negotiations fails. https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e Page 1 of 12 We have also detected the same variant of the ransomware that contained identical signatures on Virus Total (Build time: Nov-21-2020). We have yet finalized the deploying patterns but we can assume the intrusion technique by referring to previous incidents. Network intrusion using SMB exploit. A massive deployment by compromised administrator account of an Active Directory. Malicious document files distributed as attachments via spear phishing emails. MD5 : 8b6c413e2539823ef8f8b85900d19724 SHA-1 : 2d92a9ec1091cb801ff86403374594c74210cd44 SHA-256 : 3d94c4a92382c5c45062d8ea0517be4011be8ba42e9c9a614a99327d0ebdf05b Type : Win32 EXE (PE32 executable for MS Windows (GUI) Intel 80386 32-bit) Build Time : 2020-11-20 18:18:18 It is configured to be executed by allocating to the memory (VirtualAlloc) so that the structure of the malicious code cannot be understood. Self-deletion is executed after generating ex.bat file https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e Page 2 of 12 MD5 : 14B7069B25B04EBA875F264BE4F140DA Build Time : 2020-11-20 14:35:08 Run and register itself as a service Service name : WinCheckDRVs Uses mutex to check if another instance is running (duplication check) https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e Page 3 of 12 Mutex name : GKLJHWRnjktn32uyhrjn23io#666 Tours around remote shared folders and attempts to encrypt Gets token of 'EXPLORER.EXE' Collects primary access token of user is logged on to the active RDP session Collects RDP session token of the same account as the username of the collected EXPLORER.EXE token Collects token of active session if username is 5 or less Executes itself on winsta0\default with "runrun" as a parameter Tours around remote shared folders and attempts to encrypt Run event log deletion command > Loading PowerShell code… Attempts to encrypt the entire drive from A to Z except Floppy Disk, CD-ROM. The new version of the clop ransomware attempts to encrypt files in use by forcing an application or service to restart using the Restart Manager API. RSA Public Key hard coded inside the malware. > Loading Plain Text code… Skips Desktop path when encrypting files Avoids certain files by matching hash value of file name Clop passes encrypting certain file extensions: .CI0P : Previously encrypted file extension .OCX : Object linking and embedding files (ActiveX) .DLL : Compiled library (dynamic) .INI : Initialization file .CHM : Compiled HTML help file .LNG : Language pack file .CLLP : Current encrypted ransomware file https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e Page 4 of 12 Encryption technique varies depending on the size of target files sizeof(TargetFile) < 17KB : Passes encryption 1.7KB < sizeof(TargetFile) < 2.13MB : Encrypts from 0x4000 to EOF(End of File) Uses general file input/output method 2.13MB < sizeof(TargetFile) : 0x10000~0x2089D0 Encryption MMF method is used to handle large size files efficiently. MMF : Through the Memory Mapped File(MMF), the contents of a file in virtual memory space can be linked enabling an application to write the file directly to the memory. A diagram of encryption method by Clop ransomware Creates a 117byte long key by randomly referencing the 256byte table below (Mersenne Twister algorithm is used when generating the random number) > Loading Plain Text code… 117byte default key is used when creation fails > Loading Plain Text code… 117byte key is used as RC4 algorithm key to encrypt the original data, then updates https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e Page 5 of 12 It overwrites the encrypted data rather than deleting the original file Key storage file [encryption target file name].cllp is created to manage encryption keys per file Key File Header : Cllp^_- -> 7byte Key File Data : 117byte RC4 Key encrypted by RSA public Key → 128byte Tours around shared folders and attempts to encrypt Identical encrypting schemes is used to encrypt afterwards Attempts to encrypt files from the C Drive Ransom note created in every encrypted file Ransom note file name : README_README.txt Ransom note created by following procedure Extract encoded data in resource section inside malicious code Resource ID : 39339, Resource NAME : ID_HTML Extract the original data by XOR decoding the resource data and the table below > Loading Plain Text code… Do not delete the shadow volume unlike before When Command line parameter = temp.dat Reads temp.dat upon execution and attempts to only encrypt the path that has been specified Function exists, however is the option that is not executed from the actual code https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e Page 6 of 12 dinoriuss1973@tutanota[.]com unlock@support-box[.]com unlock@support-iron[.]com Contact (E-mail addresses) information is identical with the information from the Darkweb website that list-up the Clop ransomware victims (Leaks Website*). https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e Page 7 of 12 Number of Clop Ransomware Victims on the Darkweb: 17 Data uploading cycle for negotiated firm: Approximately 7 days – 1 month Accounting related information https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e Page 8 of 12 https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e Page 9 of 12 https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e Page 10 of 12 > Loading Plain Text code… of other malware similar to recent sample 11 different malware code MD5 lists that share identical signature information https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e Page 11 of 12 MD5 : 8fc09cb1540a6dea87a078b92c8f2b0a SHA-1 : 16f48624ea2a575e1bdceb4ac6151d97d4de80b6 SHA-256 : 389e03b1a1fd1c527d48df74d3c26a0483a5b105f36841193172f1ee80e62c1b Build Time 2020-11-21 15:56:31 Confirmed that Malware code has been created more recently than #01 Clop Ransomware (8b6c413e2539823ef8f8b85900d19724) Identical method to import the malware activity file with #01 Clop Ransomware(8b6c413e2539823ef8f8b85900d19724) MD5 : AC0FE3E86F9FC7E5FD08D9E618B601F3 SHA1 : 8C7173BDDE2919B524B22EA257A80360DF33A333 SHA256 : 71DB30A0174795E9387F6A6CCA940359028CAD3BC3B7BEF24B48E150102DB391 Build TIme 2020-11-21 14:43:58 Source: https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf0124 2409a6e9f844f0c5f2e https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e Page 12 of 12