Detecting Clop Ransomware | Splunk
By Splunk Threat Research Team
Published: 2021-04-13 · Archived: 2026-04-05 22:21:52 UTC
Splunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we
no longer use. For more information on our updated terminology and our stance on biased language, please visit
our blog post. We appreciate your understanding as we work towards making our community more inclusive for
everyone.
Their strategy is to send the malicious payloads via different methods, such as phishing emails, and spreading
ransomware payload post-exploitation by exploiting exposed or related vulnerable systems. Actors behind this
crimeware then present instructions on how to pay ransom and communicate further threats of exposure by
publishing the sensitive information they obtained on a publicly accessible website.
Although this may appear as a new modality, in reality ransomware is usually the cherry on top of the cake, as
malicious actors usually dwell, exfiltrate and qualify exfiltrated data, which eventually lands on dark web public
forums, dark markets or private crime intelligence brokers where qualified financial, business and kompromat
information is then priced and sold to the highest bidder.
*Source: Vericlouds
The above is a simple example of how compromised information is brokered in dark markets. Some private crime
intelligence brokers actually present specific company names and verticals. All this information comes from
malicious campaigns; victims realize they have been compromised when they observe ransomware in their
systems.
https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html
Page 1 of 14

In the case of Clop ransomware, the perpetrators threaten to publish stolen information in a publicly accessible
site via an onion router (Tor), as seen in the screen capture below.
The Attack
The actors behind Clop ransomware are financially motivated and clearly target several industry verticals.
Ransomware is by nature a post-exploitation tool, so before deploying it they must infiltrate the victim's
infrastructure. At the Splunk Threat Research team we decided to try this payload on our Splunk Attack Range
Local, and this is what we found.
We first started by creating a local environment with a Windows Domain Controller.
https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html
Page 2 of 14

We then simply executed the sample:
d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.
Files were encrypted pretty quickly and added the .Clop extension. We can also observe the appearance of the
ransomware note (ClopReadMe.txt).
https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html
Page 3 of 14

The above screenshots show how quickly data is encrypted, and the victim is clearly warned not to attempt to
decrypt. They are also threatened with all file deletion after a period of two weeks.
Reverse Engineering Breakdown
Sandbox Evasion
The Clop binary performs several checks, including running command arguments like “runrun” to enumerate and
encrypt the network.
Defense Evasion
This ransomware has a defense evasion feature where it tries to delete all the logs in the infected machine to avoid
detection.
https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html
Page 4 of 14

Encryption
This ransomware uses the AES and rc4 algorithm to encrypt the file.
Infection
The binary makes sure only one instance of its code runs on the machine it creates a mutex. If the mutex already
exists it will exit the process.
Kill Switch
Some variants of this malware contain a kill switch. The binary checks the keyboard layout of the infected
machine and its locale identifier (language). In our sample analysis we found that it tries to skip infection or delete
itself if the locale identifier or the keyboard layout is Georgian, Uzbek, Azeri, Kazakhstani or Kyrgyzstani.
https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html
Page 5 of 14

Kill Switch Function
Encrypting Network Objects
The following thread is responsible for encrypting files within the network shares by using the following API of
mpr.dll as seen below:
https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html
Page 6 of 14

WNetOpenEnumW
WNetEnumResourceW
WNetCloseEnum
Encrypting Drives By Type
The payload can encrypt files on three drive types (FIXED_DRIVE, REMOVABLE_DRIVE and
REMOTE_DRIVE). This function allows the execution of encryption on pretty much any attached or mapped
drives, including both local and attached, like a USB hard drive, for example, or remote drives usually mapped for
backups and centralized data.
https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html
Page 7 of 14

Deleting and Resizing Shadow Storage
Many ransomware variants target the Volume Shadow Copy Service, which is a feature of Windows that allows
the operator to restore data from backup. The expected behavior is the deletion of the shadow copy storage. In this
variant we found that it first deletes the files and then it resizes them in order to prevent the generation of shadow
volume copies, which effectively impairs this service’s capabilities.
Encrypted. rsrc Section (Ransomware Notes and Resizing Shadow Storage)
The .rsrc section is the common place where the encrypted ransomware notes and some scripts are located. This
figure shows how it enumerates or looks for the right resource data to decrypt the ransomware note and save it as
ClopReadMe.txt.
https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html
Page 8 of 14

Detections
The Splunk Threat Research Team has developed a new Analytic Story to detect a Clop ransomware threat; it
consists of new and former detections, and you can use the following detection searches.
Suspicious wevtutil usage
Windows Event Log Cleared
Common Ransomware Notes
Deleting Shadow Copies
Common Ransomware Extensions (New version)
High Frequency of File Deletion (New)
Clop Common Exec Parameter (New)
Clop Deleting itself (New)
Resizing Shadow Copies (New)
Clop Known Service Name (New)
Suspicious Service File Path Creation (New)
Clop High Frequency Process Termination (New)
High Frequency creation of ransomware notes (New)
Detection Searches Breakdown
Common Ransomware Extensions
Variant A
https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html
Page 9 of 14

Variant B
High Frequency of File Deletion
Resizing Shadow Copies
https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html
Page 10 of 14

Raw Search
Clop Common Exec Parameter
Clop Deleting itself
https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html
Page 11 of 14

Clop Known Service Name
Suspicious Service File Path Creation
Clop High Frequency Process Termination
High Frequency creation of ransomware notes
Variant B
https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html
Page 12 of 14

Variant A
Hashes: SHA256
15f9ed36d9efc6e570b4f506791ce2c6a849853e2f6d587f30fb12d39dba2649
3d94c4a92382c5c45062d8ea0517be4011be8ba42e9c9a614a99327d0ebdf05b
d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9
43e633a9a26287e9be7a4788d750258d64612e7b625ab5a3f0a9128469e99c2d
Defense
We can pursue further defensive actions by using the Splunk Phantom playbook Detect, Contain, and Remediate
Ransomware, as shown in the following graphic.
https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html
Page 13 of 14

This playbook is composed of the following steps:
Get file: Downloads the file sample from a repository.
Detonate file: Submits the file sample for sandbox analysis.
Block IP: Configures your infrastructure to block access to IP addresses associated with the ransomware.
Block hash: Configures your infrastructure to block access to files matching the hash of a malicious
sample.
Hunt file: Looks for indications of other infected devices in your environment.
Terminate process: Terminates any instances of the malware actively executing.
Quarantine device: Place the infected devices in quarantine to prevent it from infecting other devices.
List connections: Examine a device’s active connections/add newly discovered malicious IPs to the block
ip action.
Disable user: Disable the user’s account to prevent further malware propagation.
Please download the Splunk ES Content Update app from Splunkbase™ and install the latest version of our
content update, which includes the new ransomware analytic story focusing on Clop crimeware.
About the Splunk Threat Research Team
The Splunk Threat Research team is devoted to understanding actor behavior and researching known threats to
build detections that the entire Splunk community can benefit from. The Splunk Threat Research team does this
by building and open-sourcing tools that analyze threats and actors like the Splunk Attack Range and using these
tools to create attack data sets. From these data sets, new detections are built and shared with the Splunk
community under Splunk Security Content. These detections are then consumed by various Splunk products like
Enterprise Security, Splunk Security Essentials and Mission Control to help customers quickly and effectively find
known threats.
Source: https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html
https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html
Page 14 of 14