{ "id": "383a5325-9dc3-4bb5-88ef-8c3b2a356bd8", "created_at": "2026-04-06T01:29:35.646495Z", "updated_at": "2026-04-10T03:36:37.179352Z", "deleted_at": null, "sha1_hash": "2e9f7dc10f8b0ceb48f5ae3fa136f59af20e7536", "title": "Ransomware Spotlight: Clop", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 440025, "plain_text": "Ransomware Spotlight: Clop\r\nArchived: 2026-04-06 00:11:48 UTC\r\nX\r\nAn overview of Clop operations\r\nThe Clop ransomware appends the “.ClOP” (“Clop” spelled with a small “L”) extension to the files it encrypts. Researchers\r\nalso discovered that Clop targets a victim’s entire network instead of just individual computers. This is made possible by\r\nhacking into the Active Directory (AD) server before the ransomware infection to determine the system’s Group Policy. This\r\nallows the ransomware to persist in the endpoints even after incident responders have already cleaned them up.\r\nPrevious attacks by the TA505 group saw the delivery of the Clop malware as the final stage of its payloadopen on a new tab\r\nin massive phishing campaigns. The malicious actors would send spam emails with HTML attachments that would redirect\r\nrecipients to a macro-enabled document such as an XLS file used to drop a loader named Get2. This loader facilitates the\r\ndownload of various tools such as SDBOT, FlawedAmmyy, and Cobalt Strike. Once the malicious actors intrude into the\r\nsystem, they proceed to reconnaissance, lateral movement, and exfiltration to set the stage for deployment of the Clop\r\nransomware.\r\nThe operators behind Clop coerce their victims by sending out emails in a bid for negotiations. They also resort to more\r\nsevere threats such as publicizing and auctioning off the stolen information on their data leak site “Cl0p^_-Leaks” if their\r\nmessages are ignored. They have also gone to the extent of using quadruple extortion techniquesnews- cybercrime-and-digital-threats, which have involved going after top executivesopen on a new tab and customersopen on a new tab to\r\npressure companies into settling the ransom.\r\nHaving established itself well in the world of cybercrime, the Clop ransomware gang is deemed as a trendsetter for its ever-changing tactics, techniques, and procedures (TTPs). Indeed, the group’s Kiteworks FTA exploits set a new trend as these\r\nsignificantly pulled up the average ransom payments for the first quarter of 2021open on a new tab. A reportopen on a new\r\ntab that cited Coveware’s findings revealed that the average ransomware payments significantly went up to US$220,298,\r\nwhich is an increase of 43%. It also said that the median ransom payment increased sharply to US$78,398 from US$49,459,\r\nwhich translates to a 60% hike.\r\nRecent Clop activities\r\nThe Clop ransomware gang also claimed to have targeted 130 organizations who were victims of the Fortra GoAnywhere\r\nMFT vulnerabilitynews article over a month-long period in March 2023. Although Clop ransomware actors did not share\r\nspecific details on how they exploited the vulnerability, security researcher Florian Hauser published proof-of-concept\r\ncodenews article on it, while Fortra released an emergency patch shortly after. \r\nMeanwhile, in April 2023, Microsoft attributednews article the exploitation of CVE-2023-27350 to the Clop and LockBit\r\nransomware gangs. CVE-2023-27350 is a vulnerability in the widely used print management software solution PaperCut\r\nthat was disclosed via Trend Micro's Zero Day Initiative (ZDI),™ as covered in ZDI-23-233. According to Microsoft, the\r\nthreat actor abused the vulnerability to deploy the Truebot malware and ultimately, the Clop and LockBit ransomware\r\nfamilies to steal critical company information.\r\nIn May of this year, it was reported that FIN7 (aka Sangria Tempest)news article used the POWERTRASH malware to\r\nlaunch the Lizar toolkit in a series of  that started in April 2023. The cybercrime group used the backdoor to take hold of and\r\nlaterally move within the victim’s network and finally, distribute the Clop ransomware on compromised machines.\r\nSince May 2023, the group continuously exploited critical zero-day vulnerabilities in file transfer software MOVEit Transfer\r\nand MOVEit Cloud via CVE-2023-24362 and CVE-2023-35036, to compromise a number of private and public\r\norganizations from various industries. While the company was able to immediately deploy workarounds, Clop exploited\r\nthese openings to get into vulnerable systems and networks to exfiltrate sensitive data. Researchers and analysts have\r\nnotednews article that no ransomware payloads were observed from these attacks, but that the group were focused more on\r\nextortion and threatened these high value targets with publishing sensitive and proprietary information. An additional SQL\r\ninjection security gap still awaiting a CVE assignment and a patch also surfaced in June, which the group exploited.  \r\nThe number of attacks documented to hold systems and information hostage as a routine are going down, which is common\r\namong other ransomware groups in recent months. However, the same techniques and skills are being used to compromise\r\nvulnerable systems and networks to steal data or extort companies in exchange for keeping these companies’ information\r\nconfidential. \r\nTop affected countries and industries\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop\r\nPage 1 of 10\n\nIn this section, we discuss Trend Micro™ Smart Protection Network™ (SPN) data on detections of Clop attempts to\r\ncompromise organizations. Our detections reveal that Türkiye had the largest number of attack attempts at 94 followed by\r\nCanada with 80 attempts. The rest of the detections are spread across North America, South America, Asia Pacific, Europe,\r\nand the Middle East.\r\nFigure 1. 10 countries with the highest number of attack attempts per machine for the Clop ransomware (January 1, 2023 to\r\nMay 31, 2023)\r\nWhile other known RaaS operators claim to avoid the healthcare sector as a target out of humanitarian consideration, our\r\ndetections reveal that this is not the case for Clop as it is still within the gang’s top five targets. The highest number of\r\ndetections is at 75 in the banking industry, followed by a distant second of 42 detections in the retail sector. \r\nopen on a new tab\r\nFigure 2. 10 industries with the highest number of attack attempts per machine for the Clop ransomware (January 1, 2023 to\r\nMay 31, 2023)\r\nSource: Trend Micro Smart Protection Network infrastructure\r\nBy breaking down the detections per month, we are able to determine that 2023 saw a sudden increase in Clop attacks in\r\nMay of the same year at 245 attack attempts, significantly higher than the detections in prior months. Our detections suggest\r\nthat Clop deployments were implemented at a steady pace from January to April 2023 before surging in May.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop\r\nPage 2 of 10\n\nFigure 3. Monthly breakdown of detections per machine for the Clop ransomware (January 1, 2023 to May 31, 2023)\r\nSource: Trend Micro Smart Protection Network infrastructure\r\nTargeted regions and industries\r\naccording to Clop ransomware’s leak site\r\nThis section looks at data based on attacks recorded on the Clop ransomware operators’ leak site. The following data\r\nrepresents organizations successfully infiltrated by Clop ransomware, which have refused to pay the ransom demand as of\r\nwriting.\r\nBased on a combination of Trend Micro’s open-source intelligence (OSINT) research and investigation of the leak site, Clop\r\nransomware compromised a total of 111 organizations from January to May 2023. Of these, 64 were organizations operating\r\nfrom North America, while 17 were from Europe. Enterprises in Asia, Latin America, the Middle East, and Africa were also\r\ncompromised.\r\nopen on a new tab\r\nFigure 4. The distribution by region of Clop ransomware’s victim organization\r\nSource: Clop ransomware’s leak site and Trend Micro’s OSINT research (January 2023 – May 2023)\r\nThe United States had the most victim organizations with 54 compromised organizations, while 10 enterprises located in the\r\nUnited Kingdom and Canada were also affected. The next four countries most targeted by threat actors behind Clop are\r\nAustralia, Colombia, India, and Mexico.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop\r\nPage 3 of 10\n\nopen on a new tab\r\nFigure 5. The 10 countries most targeted by the Clop ransomware group\r\nSource: Clop ransomware’s leak site and Trend Micro’s OSINT research (January 2023 – May 2023)\r\nThe majority of Clop ransomware victim organizations were large enterprises, followed closely by small- and medium-sized\r\nbusinesses.\r\nopen on a new tab\r\nFigure 6. The distribution by organization size of Clop ransomware’s victim organizations\r\nSource: Clop ransomware’s leak site and Trend Micro’s OSINT research (January 2023 – May 2023)\r\nAmong the identified sectors of Clop ransomware victim organizations, the IT, healthcare, finance, professional services,\r\nand retail industries were its top targets.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop\r\nPage 4 of 10\n\nopen on a new tab\r\nFigure 7. The 10 industries most targeted by Clop ransomware threat actors\r\nSource: Clop ransomware’s leak site and Trend Micro’s OSINT research (January 2023 – May 2023)\r\nInfection chain and techniques\r\nThe Clop ransomware that TA505 first distributed evaded detection by using a binary that was digitally signed and verified\r\nto make it seem like a legitimate executable file. The group launched a large volume of spear-phishing emails that were sent\r\nto the employees of an organization to trigger the infection process. Figure 4 shows the infection chain.\r\nopen on a new tab\r\nFigure 8. The first infection chain of TA505\r\nIn January 2020, TA505 changed the flow of infection by using SDBOT alone to collect and exfiltrate data to the command-and-control (C\u0026C;) server. Figure 9 shows the modified infection chain.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop\r\nPage 5 of 10\n\nopen on a new tab\r\nFigure 9. The modified infection chain of TA505\r\nopen on a new tab\r\nFigure 10. The infection chain of FIN11\r\nFigure 10 shows the infection chain of FIN11’s exploit of the multiple zero-day vulnerabilities in Kiteworks’ FTA so that it\r\ncould install a newly discovered web shell, DEWMODE. FIN11 then used this same web shell to exfiltrate data from the\r\nFTA and deliver the Clop ransomware as a payload. \r\nInitial Access\r\nThe threat actors behind the Clop ransomware use an established network of affiliates to gain initial access and send a large\r\nvolume of spear-phishing emails to employees of an organization to induce infection. The malicious actors use a\r\ncompromised RDP to penetrate the system either by attempting to brute-force passwords or by exploiting some known\r\nvulnerabilities. The following are the Kiteworks FTA zero-day exploitsopen on a new tab that they used in early 2021:\r\nCVE-2021-27101 – SQL injection via a crafted host header\r\nCVE-2021-27102 – Operating system command execution via a local web service call\r\nCVE-2021-27103 – SSRF via a crafted POST request\r\nCVE-2021-27104 – Operating system command execution via a crafted POST request\r\nThe ransomware group was reported to have exploited the SolarWinds Serv-U product vulnerability tagged as CVE-2021-\r\n35211.\r\nDiscovery\r\nClop’s ransomware toolkit contained several malware types to harvest information:\r\nFlawedAmmyy remote access trojan (RAT) collects information and attempts to communicate with the C\u0026C; server\r\nto enable the download of additional malware components.\r\nAfter getting through the AD server, it will download an additional hacking tool, Cobalt Strike.\r\nSDBOT, another RAT, propagates the infection in many ways, including exploiting vulnerabilities and dropping\r\ncopies of itself in removable drives and network shares. It is also capable of propagating when shared through peer-to-peer (P2P) networks. Malicious actors use SDBOT as a backdoor to enable other commands and functions to be\r\nexecuted in the compromised computer.\r\nLateral Movement, Discovery, and Defense Evasion\r\nAt this stage, the malware scans for the workgroup information of the machine to distinguish personal machines from\r\nenterprise ones. If the workgroup is the default by value, the malware will stop malicious behavior and delete itself. If the\r\nAD server domain is returned, a machine gets classified as a corporate machine. The malware attempts to hack the AD\r\nserver using Server Message Block (SMB) vulnerabilitiesopen on a new tab and using the added downloaded hacking tool\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop\r\nPage 6 of 10\n\nCobalt Strike. Cobalt Strike is a known tool for post-exploitation that has been previously connected to other ransomware\r\nfamilies. Meanwhile, TinyMet is used to connect the reverse shell to the C\u0026C; server. The AD server admin account is used\r\nto propagate the Clop ransomware to internal network machines. As for SDBOT, it uses application shimming to preserve\r\nthe continuity of the attack and to avoid detection.\r\nExfiltration\r\nOne attack was observed as using DEWMODE to exfiltrate stolen data.\r\nImpact\r\nThe ransomware payload that terminates various Windows services and processes proceeds to its encryption routine.\r\nAdditional insights\r\nIn the course of monitoring the Clop ransomware group’s activity over the years, we observed that it follows a distinct attack\r\nchain or flow: As the attacks on both Accellion FTA and GoAnywhere, as well as the more recent incidents involving the\r\nMOVEit zero-day vulnerability show, the ransomware group focuses on finding zero-day vulnerabilities on third-party file\r\ntransfer applications.\r\nBased on its recent activity, the Clop ransomware group prefers abusing these vulnerabilities to gain initial access, exfiltrate\r\ndata, and fultimately, deliver its ransomware payload.\r\nIn some cases, Clop delivers its payload using tools and malware in its arsenal. Recently, however, the ransomware group\r\nappears to be focusing on data breach and extortion.\r\nIn January 2020, TA505 changed the flow of infection by using SDBOT alone to collect and exfiltrate data to the command-and-control (C\u0026C;) server. Figure 9 shows the modified infection chain.\r\nMITRE tactics and techniques\r\nInitial\r\nAccess\r\nExecution Persistence\r\nPrivilege\r\nEscalation\r\nDefense Evasion Discovery\r\nLateral\r\nMovement\r\nCollection\r\nT1566.001 -\r\nPhishing:\r\nSpear-phishing\r\nattachment\r\nArrives via\r\nphishing\r\nemails that\r\nhave Get2\r\nLoader,\r\nwhich will\r\ndownload the\r\nSDBot and\r\nFlawedAmmy\r\nRAT\r\nT1190 -\r\nExploit\r\npublic-facing\r\napplication\r\nArrives via\r\nany the\r\nfollowing\r\nexploits:•\r\nCVE-2021-\r\n27101• CVE-2021-27102•\r\nCVE-2021-\r\n27103• CVE-2021-27104•\r\nT1106  - Native\r\nAPI\r\nUses native API to\r\nexecute various\r\ncommands/routines\r\nT1059 - Command\r\nand scripting\r\ninterpreter\r\nUses various\r\nscripting\r\ninterpreters like\r\nPowerShell,\r\nWindows command\r\nshell and Visual\r\nBasic (macro in\r\ndocuments)\r\nT1204 - User\r\nexecutionUser\r\nexecution is\r\nneeded to carry\r\nout the payload\r\nfrom the spear-phishing\r\nlink/attachments\r\nT1547  -\r\nBoot or\r\nlogon\r\nautostart\r\nexecution\r\nCreates\r\nregistry run\r\nentries to\r\nexecute the\r\nransomware\r\nas a service\r\nT1543.003\r\n- Create or\r\nmodify\r\nsystem\r\nprocess:\r\nWindows\r\nservice\r\nCreates a\r\nservice to\r\nexecute the\r\nransomware\r\nT1484.001 -\r\nDomain\r\nPolicy\r\nmodification:\r\nGroup Policy\r\nmodification\r\nUses stolen\r\ncredentials to\r\naccess the\r\nAD servers to\r\ngain\r\nadministrator\r\nprivilege and\r\nattack other\r\nmachines\r\nwithin the\r\nnetwork\r\nT1068 -\r\nExploitation\r\nfor privilege\r\nescalation\r\nMakes use of\r\nCVE-2021-\r\n27102 to\r\nescalate\r\nprivilege\r\nT1574  -\r\nHijack\r\nT1036.001 -\r\n Masquerading:\r\ninvalid code\r\nsignature\r\nMakes use of the\r\nfollowing digital\r\nsignatures:• DVERI•\r\nFADO• TOV\r\nT1562.001 - Impair\r\ndefenses: disable or\r\nmodify tools\r\nDisables security-related software by\r\nterminating them\r\nT1140 -\r\nDeobfuscate/Decode\r\nfiles or information\r\nThe tool used for\r\nexfiltration has a\r\npart of its malware\r\ntrace removal, and\r\nit drops a base-64\r\nencoded file.\r\nT1070.004 -\r\nIndicator removal\r\non host: file\r\ndeletion \r\nDeletes traces of\r\nT1083 - File\r\nand directory\r\ndiscovery\r\nSearches for\r\nspecific files\r\nand the\r\ndirectory\r\nrelated to its\r\nencryption\r\nT1018 -\r\nRemote system\r\ndiscovery\r\nMakes use of\r\ntools for\r\nnetwork scans\r\nT1057 -\r\n Process\r\ndiscovery\r\nDiscovers\r\ncertain\r\nprocesses for\r\nprocess\r\ntermination\r\nT1082 -\r\n System\r\ninformation\r\ndiscovery\r\nIdentifies\r\nT1570 -\r\nLateral tool\r\ntransfer\r\nCan make use\r\nof RDP to\r\ntransfer the\r\nransomware or\r\ntools within the\r\nnetwork\r\nT1021.002 -\r\nRemote\r\nservices:\r\nSMB/Windows\r\nadmin shares\r\nDrops a copy\r\nof the payload\r\nto the\r\ncompromised\r\nAD and then\r\ncreate a\r\nservice on the\r\ntarget machine\r\nto execute the\r\ncopy of the\r\npayload\r\nT1005 -\r\nData from\r\nlocal\r\nsystem\r\nMight\r\nmake use of\r\nRDP to\r\nmanually\r\nsearch for\r\nvaluable\r\nfiles or\r\ninformation\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop\r\nPage 7 of 10\n\nInitial\r\nAccess\r\nExecution Persistence\r\nPrivilege\r\nEscalation\r\nDefense Evasion Discovery\r\nLateral\r\nMovement\r\nCollection\r\nCVE-2021-\r\n35211• CVE-2023-34362•\r\nCVE-2023-\r\n27350• CVE-2023-0669•\r\nCVE-2023-\r\n27351\r\nT1078 -\r\nValid\r\naccounts\r\nHave been\r\nreported to\r\nmake used of\r\ncompromised\r\naccounts to\r\naccess\r\nvictims via\r\nRDP\r\nexecution\r\nflow\r\nUAC bypass\r\nitself in the infected\r\nmachine\r\nT1055.001 - Process\r\ninjection: DLL\r\ninjection\r\nTo deliver other\r\ntools and payload, a\r\ntool has the\r\ncapability to inject\r\nits downloaded\r\npayload.\r\nT1202 - Indirect\r\ncommand execution\r\nA startup script runs\r\njust before the\r\nsystem gets to the\r\nlogin screen via\r\nstartup registry.\r\nT1070.001 -\r\nIndicator removal\r\non host: clear\r\nWindows event logs\r\nClears the Event\r\nViewer log files\r\nkeyboard\r\nlayout and\r\nother system\r\ninformation\r\nT1012 - Query\r\nregistry\r\nQueries\r\ncertain\r\nregistries as\r\npart of its\r\nroutine\r\nT1063 -\r\nSecurity\r\nsoftware\r\ndiscovery\r\nDiscovers\r\nsecurity\r\nsoftware for\r\nreconnaissance\r\nand\r\ntermination\r\nSummary of malware, tools, and exploits used\r\nSecurity teams can watch out for the presence of the following malware tools and exploits that are typically used in Clop\r\nattacks:\r\nInitial Entry Execution Discovery\r\nPrivilege\r\nEscalation\r\nLateral\r\nMovement\r\nCommand\r\nand Control\r\nDefense Evasion\r\nPhishing\r\nemails\r\nExploits:\r\n CVE-2021-\r\n27101\r\nCVE-2021-\r\n27102\r\nCVE-2021-\r\n27103\r\nCVE-2021-\r\n27104\r\nCVE-2021-\r\n35211\r\nCVE-2023-\r\n34362\r\nCVE-2023-\r\n27350\r\nGet2\r\nLoader\r\nFlawedAmmyy\r\nRAT\r\nSDBOT\r\nCVE-2021-\r\n27102\r\nRDP\r\nCobalt\r\nStrike\r\nTinyMet SDBOT\r\nUses\r\napplication\r\nshimming\r\nto\r\nmaintain\r\ncontinuity\r\nof the\r\nattack and\r\nto avoid\r\ndetection\r\nActive Directory\r\nServer Admin\r\nAccount\r\nNew\r\naccount\r\ncreation to\r\npropagate\r\nthe\r\npayload\r\nthroughout\r\nthe\r\nnetwork\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop\r\nPage 8 of 10\n\nInitial Entry Execution Discovery\r\nPrivilege\r\nEscalation\r\nLateral\r\nMovement\r\nCommand\r\nand Control\r\nDefense Evasion\r\nCVE-2023-\r\n0669\r\nCVE-2023-\r\n27351\r\nRecommendations\r\nDespite arrests of alleged members of the Clop ransomware cartel in Ukraine in 2021, our detections of this ransomware\r\nindicate that the group is still a potential threat and might strike anytime. Moreover, the operators behind Clop are known to\r\nregularly change their TTPs, which means that expecting them to sharpen the proverbial saw is par for the course. It is\r\ntherefore best to stay vigilant and armed with the knowledge that ransomware operators are always waiting for a chance to\r\npounce on their next victim.\r\nTo protect systems against similar threats, organizations can establish security frameworks that allocate resources\r\nsystematically for establishing a strong defense strategy against ransomware.\r\nHere are some best practices that organizations can consider:\r\nAudit and inventory\r\nTake an inventory of assets and data.\r\nIdentify authorized and unauthorized devices and software.\r\nMake an audit of event and incident logs.\r\nConfigure and monitor\r\nManage hardware and software configurations.\r\nGrant admin privileges and access only when necessary to an employee’s role.\r\nMonitor network ports, protocols, and services.\r\nActivate security configurations on network infrastructure devices such as firewalls and routers.\r\nEstablish a software allowlist that only executes legitimate applications.\r\nPatch and update\r\nConduct regular vulnerability assessments.\r\nPerform patching or virtual patching for operating systems and applications. \r\nUpdate software and applications to their latest versions. \r\nTo prevent attacks like the Kiteworks FTA exploits, update to and patch the latest version of the FTA to clear the\r\nzero-day vulnerabilities that were released by the malicious actors and dedicated to the attack signatures.\r\nProtect and recover\r\nImplement data protection, backup, and recovery measures.\r\nEnable multifactor authentication (MFA). \r\nSecure and defend\r\nEmploy sandbox analysis to block malicious emails.\r\nDeploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and\r\nnetwork.\r\nDetect early signs of an attack such as the presence of suspicious tools in the system.\r\nUse advanced detection technologies such as those powered by AI and machine learning.\r\nTrain and test\r\nRegularly train and assess employees on security skills.\r\nConduct red-team exercises and penetration tests.\r\nA multilayered approach can help organizations guard the possible entry points into the system (endpoint, email, web, and\r\nnetwork). Security solutions that detect malicious components and suspicious behavior could also help protect enterprises.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop\r\nPage 9 of 10\n\nTrend Vision One™products enables security teams to continuously identify the attack surface, including known,\r\nunknown, managed, and unmanaged cyber assets. It automatically prioritizes risks, including vulnerabilities, for\r\nremediation, taking into account critical factors such as the likelihood and impact of potential attacks. Vision One\r\noffers comprehensive prevention, detection, and response capabilities backed by AI, advanced threat research, and\r\nintelligence. This leads to faster mean time to detect, respond, and remediate, improving the overall security posture\r\nand effectiveness.\r\nTrend Micro Cloud One™ Workload Securityproducts protects systems against both known and unknown threats that\r\nexploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine\r\nlearning.\r\nTrend Micro™ Deep Discovery™ Email Inspectorproducts employs custom sandboxing and advanced analysis\r\ntechniques to effectively block malicious emails, including phishing emails that can serve as entry points for\r\nransomware.\r\nTrend Micro Apex One™products offers next-level automated threat detection and response against advanced\r\nconcerns such as fileless threats and ransomware, ensuring the protection of endpoints.\r\nIndicators of Compromise (IOCs)\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page\r\n(Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nRansomware Spotlight: DragonForcenews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop" ], "report_names": [ "ransomware-spotlight-clop" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6728f306-6259-4e7d-a4ea-59586d90a47d", "created_at": "2023-01-06T13:46:39.175292Z", "updated_at": "2026-04-10T02:00:03.236282Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "TEMP.Warlock", "UNC902" ], "source_name": "MISPGALAXY:FIN11", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438975, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2e9f7dc10f8b0ceb48f5ae3fa136f59af20e7536.pdf", "text": "https://archive.orkl.eu/2e9f7dc10f8b0ceb48f5ae3fa136f59af20e7536.txt", "img": "https://archive.orkl.eu/2e9f7dc10f8b0ceb48f5ae3fa136f59af20e7536.jpg" } }