{
	"id": "88fd7af0-519c-42b0-b341-4b2052e74bec",
	"created_at": "2026-04-06T00:11:27.869244Z",
	"updated_at": "2026-04-10T13:12:01.827902Z",
	"deleted_at": null,
	"sha1_hash": "3f443bc0e03e3e78a7bc863846ade19d05803e0b",
	"title": "Clop targets execs, ransomware tactics get another new twist",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 266175,
	"plain_text": "Clop targets execs, ransomware tactics get another new twist\r\nBy Pieter Arntz\r\nPublished: 2021-02-22 · Archived: 2026-04-05 16:13:50 UTC\r\nRansomware peddlers have come up with yet another devious twist on the recent trend for data exfiltration. After\r\ninterviewing several victims of the Clop ransomware, ZDNet discovered that its operators appear to be\r\nsystematically targeting the workstations of executives. After all, the top managers are more likely to have\r\nsensitive information on their machines.\r\nIf this tactic works, and it might, it’s likely that other ransomware families will follow suit, just as they’ve copied\r\nother successful tactics in the past.\r\nWhat is Clop ransomware?\r\nClop was first seen in February 2019 as a new variant in the Cryptomix family, but it has followed its own path of\r\ndevelopment since then. In October 2020 it became the first ransomware to demand a ransom of over $20 million\r\ndollars. The victim, German tech firm Software AG, refused to pay. In response, Clop’s operators published\r\nconfidential information they had gathered during the attack, on a dark web website.\r\nhttps://blog.malwarebytes.com/malwarebytes-news/2021/02/clop-targets-execs-ransomware-tactics-get-another-new-twist/\r\nPage 1 of 3\n\nCopycat tactics\r\nWhen we first came across file-encrypting ransomware, we were astounded and horrified at the same time. The\r\nsimplicity of the idea—even though it took quite a bit of skill to perfect a sturdy encryption routine—was of a\r\nkind that you immediately recognize as one that will last.\r\nSince then, ransomware has developed in ways we have seen before in other types of malware, but it has also\r\nintroduced some completely new techniques. Clop’s targeting of executives is just the latest in list of innovations\r\nwe’ve witnessed over the last couple of years.\r\nLet us have a quick look at some of these innovations ranging from technical tricks to advanced social\r\nengineering.\r\nTargeted attacks\r\nMost of the successful ransomware families have moved away from spray-and-pray tactics to more targeted\r\nattacks. Rather than trying to encrypt lots of individual computers using malicious email campaigns, attackers\r\nbreak into corporate networks manually, and attempt to cripple entire organisations.\r\nAn attacker typically accesses a victim’s network using known vulnerabilities or by attempting to brute-force a\r\npassword on an open RDP port. Once they have gained entry they will likely try to escalate their privileges, map\r\nthe network, delete backups, and spread their ransomware to as many machines as they can.\r\nData exfiltration\r\nOne of the more recent additions to the ransomware arsenal is data exfiltration. During the process of infiltrating a\r\nvictim’s network and encrypting its computers, some ransomware gangs also exfiltrate data from the machines\r\nthey infect. They then threaten to publish the data on a website, or auction it off. This gives the criminals extra\r\nleverage against victims who won’t, or don’t need to, pay to decrypt their data.\r\nThis extra twist was introduced by Ransom.Maze but is also used by Egregor, and Ransom.Clop as well, as we\r\nmentioned above.\r\nHiding inside Virtual Machines\r\nI warned you about technical innovations. This one stands out among them. As mentioned in our State of Malware\r\n2021 Report, the RagnarLocker ransomware gang found a new way to encrypt files on an endpoint while evading\r\nanti-ransomware protection.\r\nThe ransomware’s operators download a virtual machine (VM) image, load it silently, and then launch the\r\nransomware inside it, where endpoint protection software can’t see it. The ransomware accesses files on the host\r\nsystem through the guest machine’s “shared folders.”\r\nEncrypting Virtual Hard Disks\r\nhttps://blog.malwarebytes.com/malwarebytes-news/2021/02/clop-targets-execs-ransomware-tactics-get-another-new-twist/\r\nPage 2 of 3\n\nAlso mentioned in the State of Malware 2021 Report was the RegretLocker ransomware that found a way around\r\nencrypting virtual hard disks (VHD). These files are huge archives that hold the hard disk of a virtual machine. If\r\nan attacker wanted to encrypt the VHD, they would endure a painfully slow process (and every second counts\r\nwhen you’re trying not to get caught) because of how large these files are.\r\nRegretLocker uses a trick to “mount” the virtual hard disks, so that they are as easily accessible as a physical hard\r\ndisk. Once this is done, the ransomware can access files inside the VHD and encrypt them individually, steal them,\r\nor delete them. This is a faster method of encryption than trying to target the entire VHD file.\r\nThwarting security and detection\r\nRansomware is also getting better at avoiding detection and disabling existing security software. For example, the\r\nClop ransomware stops 663 Windows processes (which is an amazing amount) and tries to disable or uninstall\r\nseveral security programs, before it starts its encryption routine.\r\nStopping these processes frees some files that it could not otherwise encrypt, because they would be locked. It\r\nalso reduces the likelihood of triggering an alert, and it can hinder the production of new backups.\r\nWhat next?\r\nIt remains to be seen if Clop’s new tactic will be copied by other ransomware families or how it might evolve.\r\nIt has been speculated that the tactic of threatening to leak exfiltrated data has lowered some victims’ expectations\r\nthat paying the ransom will be the end of their trouble. Targeting executives’ data specifically may be a way to\r\nredress this, by increasing the pressure on victims.\r\nClop, or a copycat, may also try to use the information found on managers’ machines to spread to other\r\norganisations. Consider, for example, the method known as email conversation thread hijacking, which uses\r\nexisting email conversations (and thus trust relationships) to spread to new victims. Or the information could be\r\nsold to threat actors that specialize in business email compromise (BEC).\r\nFor those interested, IOCs and other technical details about Clop can be found in the Ransom.Clop detection\r\nprofile.\r\nAbout the author\r\nWas a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich\r\nmahogany and leather-bound books.\r\nSource: https://blog.malwarebytes.com/malwarebytes-news/2021/02/clop-targets-execs-ransomware-tactics-get-another-new-twist/\r\nhttps://blog.malwarebytes.com/malwarebytes-news/2021/02/clop-targets-execs-ransomware-tactics-get-another-new-twist/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/malwarebytes-news/2021/02/clop-targets-execs-ransomware-tactics-get-another-new-twist/"
	],
	"report_names": [
		"clop-targets-execs-ransomware-tactics-get-another-new-twist"
	],
	"threat_actors": [],
	"ts_created_at": 1775434287,
	"ts_updated_at": 1775826721,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3f443bc0e03e3e78a7bc863846ade19d05803e0b.pdf",
		"text": "https://archive.orkl.eu/3f443bc0e03e3e78a7bc863846ade19d05803e0b.txt",
		"img": "https://archive.orkl.eu/3f443bc0e03e3e78a7bc863846ade19d05803e0b.jpg"
	}
}