{
	"id": "f19b1286-313a-4721-aa80-cbbcf770d1f4",
	"created_at": "2026-04-06T00:06:53.515961Z",
	"updated_at": "2026-04-10T03:21:22.4652Z",
	"deleted_at": null,
	"sha1_hash": "13ba12ed35e1e1514e04dc29b47668db257f8743",
	"title": "CryptoMix Clop Ransomware Says It's Targeting Networks, Not Computers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 968287,
	"plain_text": "CryptoMix Clop Ransomware Says It's Targeting Networks, Not\r\nComputers\r\nBy Lawrence Abrams\r\nPublished: 2019-03-05 · Archived: 2026-04-05 19:52:17 UTC\r\nA new CryptoMix Ransomware variant has been discovered that appends the .CLOP or .CIOP extension to encrypted files.\r\nOf particular interest, is that this variant is now indicating that the attackers are targeting entire networks rather than\r\nindividual computers.\r\nThis variant was discovered by MalwareHunterTeam, who has noticed that the developers are switching between different\r\nemail addresses and slight variations in the extension.\r\nAs we are always looking for weaknesses, if you are a victim of this variant and decide to pay the ransom, please send us the\r\ndecryptor so we can take a look at it. You can also discuss or receive support for Cryptomix ransomware infections in our\r\ndedicated Cryptomix Help \u0026 Support Topic.\r\nhttps://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nThe Clop CryptoMix Ransomware variant\r\nIt has been quite a while since we covered a new CryptoMix variant and some things have changed since then.\r\nThis variant is currently being distributed using executables that have been code-signed with a digital signature. Doing so\r\nmakes the executable appear more legitimate and may help to bypass security software detections.\r\nIn an analysis by security researcher Vitali Kremez, when started this variant will first stop numerous Windows services and\r\nprocesses in order to disable antivirus software and close all files so that they are ready for encryption. Examples of\r\nprocesses that are shutdown include Microsoft Exchange, Microsoft SQL Server, MySQL, BackupExec, and more.\r\nAnother item noticed by BleepingComputer in this variant is that it will create a batch file named clearnetworkdns_11-22-\r\n33.bat that will be executed soon after the ransomware is launched. This batch file will disable Windows's automatic startup\r\nrepair, remove shadow volume copies, and then resize them in order to clear orphaned shadow volume copies.\r\nhttps://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/\r\nPage 3 of 7\n\nRemove Shadow Volume Copies\r\nThe ransomware will then begin to encrypt a victims files. When encrypting files it will append the .Clop or .CIop\r\nextension to the encrypted file's name. For example, a test file encrypted by this variant has an encrypted file name of\r\ntest.jpg.CIop.\r\nEncrypted CIop Files\r\nThis variant will also create a ransom note named CIopReadMe.txt that is now indicating that they are targeting an entire\r\nnetwork rather than an individual computer.  Whether this is true or not is not known at this time, as the ransomware itself\r\ndoes not have the ability to self-propagate, but could be done manually if the attackers are hacking into Remote Desktop\r\nServices.\r\nhttps://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/\r\nPage 4 of 7\n\nRansom Note\r\nThis ransom note also contain the emails\r\nunlock@eqaltech.su, unlock@royalmail.su, and kensgilbomet@protonmail.com that can be used to contact the attackers\r\nfor payment instructions.\r\nUnfortunately, at this time the ransomware cannot be decrypted for free. You can receive support or discuss Cryptomix\r\nransomware infections in our dedicated Cryptomix Help \u0026 Support Topic.\r\nHow to protect yourself from the Ransomware\r\nIn order to protect yourself from ransomware it is important that you use good computing habits and security software. The\r\nmost important step is to always have a reliable and tested backup of your data that can be restored in the case of an\r\nemergency, such as a ransomware attack. \r\nYou should also make sure that you do not have any computers running remote desktop services connected directly to the\r\nInternet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have\r\nVPN accounts on your network.\r\nA good security software solution that incorporates behavioral detections to combat ransomware and not just use signature\r\ndetections or heuristics is important as well.  For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both\r\ncontain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.\r\nLast, but not least, make sure you practice the following security habits, which in many cases are the most important steps of\r\nall:\r\nBackup, Backup, Backup!\r\nDo not open attachments if you do not know who sent them.\r\nDo not open attachments until you confirm that the person actually sent you them,\r\nScan attachments with tools like VirusTotal.\r\nDo not connect Remote Desktop Services directly to the Internet. Instead, make sure they can only be accessed by\r\nlogging into a VPN first.\r\nMake sure all Windows updates are installed as soon as they come out! Also make sure you update all programs,\r\nespecially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly\r\nexploited by malware distributors. Therefore it is important to keep them updated.\r\nhttps://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/\r\nPage 5 of 7\n\nMake sure you use have some sort of security software installed that uses behavioral detections or white list\r\ntechnology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.\r\nUse hard passwords and never reuse the same password at multiple sites.\r\nBACKUP!\r\nFor a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against\r\nRansomware article.\r\nIOCs\r\nClop Ransomware Hashes:\r\n2ceeedd2f389c6118b4e0a02a535ebb142d81d35f38cab9a3099b915b5c274cb\r\na867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02\r\nFilenames associated with the Clop Cryptomix Variant:\r\nCIopReadMe.txt\r\nClop Ransom Note Text:\r\n------------------------Your networks has been penetrated---------------------------------------\r\nAll files on each host in the networks have been encrypted with a strong algorithm.\r\nBackups were either encrypted or deleted or backup disks were formatted.\r\nShadow copies also removed, so F-8 or any other methods may damage encrypted data but not recover.\r\nWe exclusively have decryption software for your situation.\r\n===No DECRYPTION software is AVAILABLE in the PUBLIC===\r\n- DO NOT RENAME OR MOVE the encrypted and readme files.\r\n========================DO NOT RESET OR SHUTDOWN – FILES MAY BE DAMAGED========================\r\n========================DO NOT RESET OR SHUTDOWN – FILES MAY BE DAMAGED========================\r\n========================DO NOT RESET OR SHUTDOWN – FILES MAY BE DAMAGED========================\r\n---THIS MAY LEAD TO THE IMPOSSIBILITY OF RECOVERY OF THE CERTAIN FILES---\r\n---ALL REPAIR TOOLS ARE USELESS AND CAN DESTROY YOUR FILES IRREVERSIBLY---\r\nIf you want to restore your files write to email.\r\n[CONTACTS ARE AT THE BOTTOM OF THE SHEET] and attach 4-6 encrypted files!\r\n[Less than 7 Mb each, non-archived and your files should not contain valuable information!!!\r\n[Databases,large excel sheets, backups etc...]]!!!\r\n***You will receive decrypted samples and our conditions how to get the decoder***\r\n*^*ATTENTION*^*\r\n=YOUR WARRANTY - DECRYPTED SAMPLES=\r\n-=-DO NOT TRY TO DECRYPT YOUR DATA USING THIRD PARTY SOFTWARE-=-\r\n-=-WE DONT NEED YOUR FILES AND YOUR INFORMATION-=-\r\nCONTACTS E-MAILS:\r\nunlock@eqaltech.su\r\nAND\r\nunlock@royalmail.su\r\nOR\r\nkensgilbomet@protonmail.com\r\n_-_ATTENTION_-_\r\nIn the letter, type your company name and site!\r\n***The final price depends on how fast you write to us***\r\nhttps://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/\r\nPage 6 of 7\n\n^_*Nothing personal just business^_* CLOP^_-\r\n----------------------------------------------------------------------------------------------\r\nEmails Associated with the Clop Ransomware:\r\nunlock@eqaltech.su\r\nunlock@royalmail.su\r\nkensgilbomet@protonmail.com\r\nEmbedded Public key:\r\n-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC01RzGfT2wX535F129PXlD5Z1n 2O8qkkrmrg/vADiRjD7qDmYyk4rqMJZ54n/4HiyheDOX/svnCBqxrNZKJ\r\n-----END PUBLIC KEY-----\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/\r\nhttps://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/"
	],
	"report_names": [
		"cryptomix-clop-ransomware-says-its-targeting-networks-not-computers"
	],
	"threat_actors": [],
	"ts_created_at": 1775434013,
	"ts_updated_at": 1775791282,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/13ba12ed35e1e1514e04dc29b47668db257f8743.pdf",
		"text": "https://archive.orkl.eu/13ba12ed35e1e1514e04dc29b47668db257f8743.txt",
		"img": "https://archive.orkl.eu/13ba12ed35e1e1514e04dc29b47668db257f8743.jpg"
	}
}