{
	"id": "403c52eb-7d70-4c80-8cfe-8dfc322e33e6",
	"created_at": "2026-04-06T00:19:24.135257Z",
	"updated_at": "2026-04-10T03:21:33.260898Z",
	"deleted_at": null,
	"sha1_hash": "1897930e904ec3a1a1d6ae9a767c155bcf6139ca",
	"title": "Detecting Clop Ransomware | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 12260379,
	"plain_text": "Detecting Clop Ransomware | Splunk\r\nBy Splunk Threat Research Team\r\nPublished: 2021-04-13 · Archived: 2026-04-05 22:21:52 UTC\r\nSplunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we\r\nno longer use. For more information on our updated terminology and our stance on biased language, please visit\r\nour blog post. We appreciate your understanding as we work towards making our community more inclusive for\r\neveryone.\r\nTheir strategy is to send the malicious payloads via different methods, such as phishing emails, and spreading\r\nransomware payload post-exploitation by exploiting exposed or related vulnerable systems. Actors behind this\r\ncrimeware then present instructions on how to pay ransom and communicate further threats of exposure by\r\npublishing the sensitive information they obtained on a publicly accessible website.\r\nAlthough this may appear as a new modality, in reality ransomware is usually the cherry on top of the cake, as\r\nmalicious actors usually dwell, exfiltrate and qualify exfiltrated data, which eventually lands on dark web public\r\nforums, dark markets or private crime intelligence brokers where qualified financial, business and kompromat\r\ninformation is then priced and sold to the highest bidder.\r\n*Source: Vericlouds\r\nThe above is a simple example of how compromised information is brokered in dark markets. Some private crime\r\nintelligence brokers actually present specific company names and verticals. All this information comes from\r\nmalicious campaigns; victims realize they have been compromised when they observe ransomware in their\r\nsystems.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html\r\nPage 1 of 14\n\nIn the case of Clop ransomware, the perpetrators threaten to publish stolen information in a publicly accessible\r\nsite via an onion router (Tor), as seen in the screen capture below.\r\nThe Attack\r\nThe actors behind Clop ransomware are financially motivated and clearly target several industry verticals.\r\nRansomware is by nature a post-exploitation tool, so before deploying it they must infiltrate the victim's\r\ninfrastructure. At the Splunk Threat Research team we decided to try this payload on our Splunk Attack Range\r\nLocal, and this is what we found.\r\nWe first started by creating a local environment with a Windows Domain Controller.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html\r\nPage 2 of 14\n\nWe then simply executed the sample:\r\nd0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.\r\nFiles were encrypted pretty quickly and added the .Clop extension. We can also observe the appearance of the\r\nransomware note (ClopReadMe.txt).\r\nhttps://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html\r\nPage 3 of 14\n\nThe above screenshots show how quickly data is encrypted, and the victim is clearly warned not to attempt to\r\ndecrypt. They are also threatened with all file deletion after a period of two weeks.\r\nReverse Engineering Breakdown\r\nSandbox Evasion\r\nThe Clop binary performs several checks, including running command arguments like “runrun” to enumerate and\r\nencrypt the network.\r\nDefense Evasion\r\nThis ransomware has a defense evasion feature where it tries to delete all the logs in the infected machine to avoid\r\ndetection.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html\r\nPage 4 of 14\n\nEncryption\r\nThis ransomware uses the AES and rc4 algorithm to encrypt the file.\r\nInfection\r\nThe binary makes sure only one instance of its code runs on the machine it creates a mutex. If the mutex already\r\nexists it will exit the process.\r\nKill Switch\r\nSome variants of this malware contain a kill switch. The binary checks the keyboard layout of the infected\r\nmachine and its locale identifier (language). In our sample analysis we found that it tries to skip infection or delete\r\nitself if the locale identifier or the keyboard layout is Georgian, Uzbek, Azeri, Kazakhstani or Kyrgyzstani.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html\r\nPage 5 of 14\n\nKill Switch Function\r\nEncrypting Network Objects\r\nThe following thread is responsible for encrypting files within the network shares by using the following API of\r\nmpr.dll as seen below:\r\nhttps://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html\r\nPage 6 of 14\n\nWNetOpenEnumW\r\nWNetEnumResourceW\r\nWNetCloseEnum\r\nEncrypting Drives By Type\r\nThe payload can encrypt files on three drive types (FIXED_DRIVE, REMOVABLE_DRIVE and\r\nREMOTE_DRIVE). This function allows the execution of encryption on pretty much any attached or mapped\r\ndrives, including both local and attached, like a USB hard drive, for example, or remote drives usually mapped for\r\nbackups and centralized data.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html\r\nPage 7 of 14\n\nDeleting and Resizing Shadow Storage\r\nMany ransomware variants target the Volume Shadow Copy Service, which is a feature of Windows that allows\r\nthe operator to restore data from backup. The expected behavior is the deletion of the shadow copy storage. In this\r\nvariant we found that it first deletes the files and then it resizes them in order to prevent the generation of shadow\r\nvolume copies, which effectively impairs this service’s capabilities.\r\nEncrypted. rsrc Section (Ransomware Notes and Resizing Shadow Storage)\r\nThe .rsrc section is the common place where the encrypted ransomware notes and some scripts are located. This\r\nfigure shows how it enumerates or looks for the right resource data to decrypt the ransomware note and save it as\r\nClopReadMe.txt.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html\r\nPage 8 of 14\n\nDetections\r\nThe Splunk Threat Research Team has developed a new Analytic Story to detect a Clop ransomware threat; it\r\nconsists of new and former detections, and you can use the following detection searches.\r\nSuspicious wevtutil usage\r\nWindows Event Log Cleared\r\nCommon Ransomware Notes\r\nDeleting Shadow Copies\r\nCommon Ransomware Extensions (New version)\r\nHigh Frequency of File Deletion (New)\r\nClop Common Exec Parameter (New)\r\nClop Deleting itself (New)\r\nResizing Shadow Copies (New)\r\nClop Known Service Name (New)\r\nSuspicious Service File Path Creation (New)\r\nClop High Frequency Process Termination (New)\r\nHigh Frequency creation of ransomware notes (New)\r\nDetection Searches Breakdown\r\nCommon Ransomware Extensions\r\nVariant A\r\nhttps://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html\r\nPage 9 of 14\n\nVariant B\r\nHigh Frequency of File Deletion\r\nResizing Shadow Copies\r\nhttps://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html\r\nPage 10 of 14\n\nRaw Search\r\nClop Common Exec Parameter\r\nClop Deleting itself\r\nhttps://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html\r\nPage 11 of 14\n\nClop Known Service Name\r\nSuspicious Service File Path Creation\r\nClop High Frequency Process Termination\r\nHigh Frequency creation of ransomware notes\r\nVariant B\r\nhttps://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html\r\nPage 12 of 14\n\nVariant A\r\nHashes: SHA256\r\n15f9ed36d9efc6e570b4f506791ce2c6a849853e2f6d587f30fb12d39dba2649\r\n3d94c4a92382c5c45062d8ea0517be4011be8ba42e9c9a614a99327d0ebdf05b\r\nd0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9\r\n43e633a9a26287e9be7a4788d750258d64612e7b625ab5a3f0a9128469e99c2d\r\nDefense\r\nWe can pursue further defensive actions by using the Splunk Phantom playbook Detect, Contain, and Remediate\r\nRansomware, as shown in the following graphic.\r\nhttps://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html\r\nPage 13 of 14\n\nThis playbook is composed of the following steps:\r\nGet file: Downloads the file sample from a repository.\r\nDetonate file: Submits the file sample for sandbox analysis.\r\nBlock IP: Configures your infrastructure to block access to IP addresses associated with the ransomware.\r\nBlock hash: Configures your infrastructure to block access to files matching the hash of a malicious\r\nsample.\r\nHunt file: Looks for indications of other infected devices in your environment.\r\nTerminate process: Terminates any instances of the malware actively executing.\r\nQuarantine device: Place the infected devices in quarantine to prevent it from infecting other devices.\r\nList connections: Examine a device’s active connections/add newly discovered malicious IPs to the block\r\nip action.\r\nDisable user: Disable the user’s account to prevent further malware propagation.\r\nPlease download the Splunk ES Content Update app from Splunkbase™ and install the latest version of our\r\ncontent update, which includes the new ransomware analytic story focusing on Clop crimeware.\r\nAbout the Splunk Threat Research Team\r\nThe Splunk Threat Research team is devoted to understanding actor behavior and researching known threats to\r\nbuild detections that the entire Splunk community can benefit from. The Splunk Threat Research team does this\r\nby building and open-sourcing tools that analyze threats and actors like the Splunk Attack Range and using these\r\ntools to create attack data sets. From these data sets, new detections are built and shared with the Splunk\r\ncommunity under Splunk Security Content. These detections are then consumed by various Splunk products like\r\nEnterprise Security, Splunk Security Essentials and Mission Control to help customers quickly and effectively find\r\nknown threats.\r\nSource: https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html\r\nhttps://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html"
	],
	"report_names": [
		"detecting-clop-ransomware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434764,
	"ts_updated_at": 1775791293,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1897930e904ec3a1a1d6ae9a767c155bcf6139ca.pdf",
		"text": "https://archive.orkl.eu/1897930e904ec3a1a1d6ae9a767c155bcf6139ca.txt",
		"img": "https://archive.orkl.eu/1897930e904ec3a1a1d6ae9a767c155bcf6139ca.jpg"
	}
}