{
	"id": "4cc70196-0882-40ba-a4f3-cd0c5dbb1b40",
	"created_at": "2026-04-06T00:06:52.284893Z",
	"updated_at": "2026-04-10T03:21:49.282066Z",
	"deleted_at": null,
	"sha1_hash": "1fa336d4582fcc0dd23f1d6f100561147fd1ac6e",
	"title": "[Threat Analysis] CLOP Ransomware that Attacked Korean Distribution Giant - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2042799,
	"plain_text": "[Threat Analysis] CLOP Ransomware that Attacked Korean\r\nDistribution Giant - ASEC\r\nBy ATCP\r\nPublished: 2021-01-04 · Archived: 2026-04-05 14:24:16 UTC\r\nIn November last year, there was a case that shocked not only the security industry, but also all of the\r\nKorean industries. The system of E-Land Group, the distribution giant, was infected by the ‘CLOP\r\nRansomware.’ According to the press report that quoted an associate of the company, over half of the brick-and-mortar stores were affected by the ransomware, leading to disruption of business. This incident showed\r\nthat the ransomware attacks can occur regardless of company size, and Korean industries must now face\r\nsuch threats that made themselves tangible.\r\nAhnLab, the leader of the Korean security industry, published an in-depth analysis report of CLOP\r\nRansomware’s distribution path, whether infected PCs can be restored, course of the attack, and trend of\r\nchange. This paper will briefly examine the content of the report.\r\nBefore discussing the case of attack against E-Land, the CLOP Ransomware must be analyzed as having\r\nknowledge on CLOP Ransomware’s attack process and trend of change can help understand the case better.\r\nTarget of CLOP Ransomware Attack and Process\r\nAttack Target\r\nhttps://asec.ahnlab.com/en/19542/\r\nPage 1 of 8\n\nCLOP Ransomware targeted companies that operate Active Directory (AD). AD is more commonly used by\r\ncompanies than individual users as it allows companies to manage multiple Windows systems efficiently via\r\ncentralized management. The attacker abused this advantage to steal AD server administrator privilege and\r\nattacked various systems within companies.\r\nAhnLab estimates that in 2019, 369 companies and 13,497 systems (PC and server) suffered damage due to CLOP\r\nRansomware. As only the attacks against companies were taken into account, there may be many more systems\r\nthat suffered damage if taking unconfirmed systems into account.\r\nVarious industries were targeted including but not limited to public institutions, education, broadcasting,\r\nfinance/security/insurance, manufacturing, IT, distribution, communications, etc. Based on the first half of 2019\r\nand in terms of percentage, most of the ransomware attacks were done against the manufacturing industry (53%),\r\nfollowed by finance (15%), information service (11%), and retails industry (9%).\r\nThe attacker utilized meticulously-made spear-phishing attacks to target companies. They attempted attacks after\r\npinpointing email recipients and meticulously wrote the email content in languages their targets use. One notable\r\nthing is that the attacker targeted non-Russian countries. The attacker designed the ransomware to first check\r\nkeyboard layout and character set, and if the target is Russian or that of CIS nation’s, it does not run.\r\nRansomware Variants\r\nNext is the change in the number of CLOP Ransomware variants that were found in the first half of 2019. In\r\nFebruary 2019, a large number of CLOP Ransomware variants were found. Note that ‘ClopReadMe.txt,’ CLOP\r\nRansomware’s ransom note, was first revealed in Pastebin.com on February 8, 2019.\r\nFigure 1. Change in numbers of CLOP Ransomware variants in 2019\r\nAttack Process\r\nThe attack is carried out through preparation, domination, and execution phase. Specifically, there are 10 phases in\r\ntotal. The actual distribution and execution of CLOP Ransomware are the very last phase. The 3 big phases and\r\nthe phases divided into 10 specific phases are as follows:\r\nhttps://asec.ahnlab.com/en/19542/\r\nPage 2 of 8\n\nPreparation\r\nSends malicious document attachment file via email to the first attack\r\ntarget and install remote control malware\r\n1 User opens malicious document file (Excel, Word) attached to an email\r\n2 Runs remote control malware downloader via macro inserted to a document file\r\n3\r\nIf the system is added to AD (Active Directory) and operated in it,downloads\r\nremote control malware file and runs it (targeting AD environment)\r\n4 Remote control malware file installs Cobalt Strike Beacon to the system\r\nDomination Dominates system within AD using Cobalt Strike\r\n5 Checks AD domain configuration info\r\n6 Escalates run privilege using vulnerability\r\n7\r\nRuns Mimikatz module with escalated privilegeand obtains local administrator\r\naccount or credential of AD domain administrator account\r\n8\r\nIf AD domain administrator account is successfully obtained,connects to\r\ndomain controller server and dominates system connected to domain\r\nExecution Attempts CLOP Ransomware infection on system within AD\r\n9\r\nPrepares malware such as CLOP Ransomware in the domain controller’s shared\r\nfolder\r\n10\r\nDistributes and runs CLOP Ransomware by using task scheduler or remote\r\ncommand to the system connected to AD domain\r\nTable 1. CLOP Ransomware’s attack process\r\nCLOP Ransomware’s Change Trend\r\nCompared to the past, CLOP Ransomware did not change fundamentally in terms of encryption method and\r\noperation as a service. The difference is that it now compares after obtaining CRC instead of strings in process\r\ntermination routine and encryption exception path.\r\nRecent Changes in CLOP Ransomware\r\nAdditional change was confirmed in CLOP Ransomware collected in the second half of 2020. The past version\r\nworked by adding a symmetric-key that is encrypted with public-key along with signature to the back of the\r\nencrypted file, but the recently-confirmed CLOP Ransomware works by adding ‘.Cllp’ extension to the same\r\nname, saving signature and encrypted key to a newly-created file.\r\nhttps://asec.ahnlab.com/en/19542/\r\nPage 3 of 8\n\nFigure 2. Previous CLOP Ransomware – Symmetric key added to back of the encrypted file\r\nFigure 3. Recently-found CLOP Ransomware – Saves symmetric key to .Clip file\r\nMoreover, routine that terminates other processes and routine that deletes volume shadow copy got removed.\r\nHowever, the file with the identical certificate that is in charge of the process termination routine was discovered\r\nalong, which can be assumed that the method of CLOP Ransomware changed. It has changed to make the\r\nadditional file become capable of such a feature instead of CLOP Ransomware binary.\r\nhttps://asec.ahnlab.com/en/19542/\r\nPage 4 of 8\n\nFigure 4. Discovery of file with process termination feature\r\nPacking method is also one of the changes. CLOP Ransomware has the appearance of a packer just like other\r\nmalware such as FlawedAmmyy. This means that it keeps encoded binary to bypass file detection, and upon\r\nexecution, runs the original binary decoded in memory.\r\nChange of Ransom Note\r\nIn 2019, there were no big changes made to the content of the ransom note file of CLOP Ransomware. It mostly\r\nconsists of notice that the files are encrypted, note of caution, and email address of the attacker. However, CLOP\r\nRansomware discovered since October 2020 not only includes contact to recover encrypted files, but also a\r\nmessage of threat against the victim that they will publish sensitive data of the company on a deep-web. Leaked\r\ninformation of the company was published on a deep website mentioned in the ransom note below.\r\nFigure 5. Ransom note containing information leakage threat\r\nAnalysis of Attack on Distribution Giant E-Land\r\nThis paper will now take a brief look on the attack against E-Land based on the analysis of CLOP Ransomware\r\nattack.\r\nLike the previous CLOP Ransomware, a system infected by CLOP Ransomware used in the attack against\r\ncompany A cannot be restored. This ransomware uses a symmetric key algorithm to encrypt each file, and an\r\nencrypted symmetric key with a public key that exists within the binary. This means that if a private key\r\ncorresponding to the public key is unknown, the encrypted files cannot be restored.\r\nhttps://asec.ahnlab.com/en/19542/\r\nPage 5 of 8\n\nHowever, the previous CLOP Ransomware and the new CLOP Ransomware have different methods of saving the\r\nencrypted key. As explained in the ‘CLOP Ransomware’s Change Trend’ section, the early version used a method\r\nof attaching encrypted keys along with specific signatures in the back of the encrypted file. However, the recently\r\ndiscovered CLOP Ransomware creates an additional file with an added ‘.Clip’ extension that has the same\r\nfilename (normal filename kept) as the encrypted file, and saves the relevant key to that ‘.Clip’ file. The CLOP\r\nRansomware used for the attack on E-Land is the latter.\r\nFiles cannot be restored as the attacker’s secret key is unknown, but unlike the previous version, the ransomware\r\ndoes not have the command to delete volume shadow copy (a basic feature of Windows which is a saved copy of a\r\nfile, folder, or a volume of a specific time). Hence, if a recovery point before ransomware affection exists, it is\r\npossible to revert the system to the uninfected state.\r\nFigure 6. The infected file (upper) and the restored file (below)\r\nFurthermore, CLOP Ransomware file used in attack against E-Land contains info of the following digital\r\nsignature certificate.\r\nhttps://asec.ahnlab.com/en/19542/\r\nPage 6 of 8\n\nFigure 7. Certificate used by CLOP Ransomware during attack against E-Land\r\nAhnLab confirmed various files with certificates identical to CLOP Ransomware that was used to attack E-Land.\r\nAccording to the analysis result, other files with the certificate were distributed since October, and were created as\r\nnot only ransomware, but also files to disable Windows Defender anti-malware products. This means that the\r\nsame group is developing CLOP Ransomware as well as another various ransomware using the same certificate.\r\nIn conclusion, the attacker utilized meticulous and carefully-planned strategy to attack E-Land. The attacker\r\nutilized and distributed CLOP Ransomware malware to abuse the fact that multiple systems can be controlled at\r\nonce through AD. In this process, the attacker installs remote control malware and obtains system administrator\r\nprivilege. The target company takes tremendous damage as their system is infected with CLOP Ransomware, their\r\ninternal information is leaked, and administrator accounts are stolen. The attacker blackmails the company by\r\nthreatening not only to encrypt the files, but also publish the fact that the company is infected with ransomware\r\nand stolen information to the public if they don’t pay the ransom. The attacker of CLOP Ransomware is following\r\nthe recent trend of threatening companies with two hostages: file encryption and internal information leakage.\r\nCLOP Ransomware attack that occurred since 2019 is still on-going in 2020. The attacker is evolving by changing\r\nthe method of malware distribution and attack. There are also reported cases of the attacker taking control of a\r\ncompany’s AD server and letting it stay dormant, not running the ransomware immediately. Because of the time\r\ndisruption factor, it is even harder to reverse track the attack when the ransomware attack occurs.\r\nBoth individuals and companies must work together to defend against CLOP Ransomware attacks. Above all, it is\r\ncrucial for individuals to improve their security awareness. Adequate user education must be provided to prevent\r\nfalling victim to spear-phishing, and also frequently check whether software is updated to the latest version and\r\nwhether they are functioning properly. Additionally, the users must backup important documents and files in case\r\nof accidents. Companies must pay extra attention to AD security and tightly manage account info. If a security\r\nproduct has been installed, the system must be monitored periodically so that signs of the system abnormality can\r\nbe found in a timely manner.\r\nMD5\r\nhttps://asec.ahnlab.com/en/19542/\r\nPage 7 of 8\n\n0c155dbf2691b5dd6df2195b57bf39d5\r\n25e11a9ebde8d2cc26084e3c739273a7\r\n329c1d463532c33cc5627755dedecd49\r\n34f8228a3f12fa9542f1a4181f96edec\r\n47fe8452d486cd3822cb48f170744756\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//89[.]144[.]25[.]172/Ny2c\r\nhttp[:]//89[.]144[.]25[.]172/a\r\nAdditional IOCs are available on AhnLab TIP.\r\nIP\r\n105[.]201[.]1[.]186\r\n105[.]201[.]1[.]249\r\n185[.]17[.]121[.]188\r\n194[.]165[.]16[.]228\r\n194[.]68[.]27[.]18\r\nAdditional IOCs are available on AhnLab TIP.\r\nSource: https://asec.ahnlab.com/en/19542/\r\nhttps://asec.ahnlab.com/en/19542/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/19542/"
	],
	"report_names": [
		"19542"
	],
	"threat_actors": [],
	"ts_created_at": 1775434012,
	"ts_updated_at": 1775791309,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1fa336d4582fcc0dd23f1d6f100561147fd1ac6e.pdf",
		"text": "https://archive.orkl.eu/1fa336d4582fcc0dd23f1d6f100561147fd1ac6e.txt",
		"img": "https://archive.orkl.eu/1fa336d4582fcc0dd23f1d6f100561147fd1ac6e.jpg"
	}
}