{
	"id": "f8077a6f-3a49-4e41-8afb-a5f8bcd0949f",
	"created_at": "2026-04-06T02:10:54.140542Z",
	"updated_at": "2026-04-10T03:24:30.096828Z",
	"deleted_at": null,
	"sha1_hash": "572213dcb9682791ffd7b00646a7c756562b0722",
	"title": "Clop Ransomware Detection: Threat Research Release, April 2021 | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 516641,
	"plain_text": "Clop Ransomware Detection: Threat Research Release, April 2021\r\n| Splunk\r\nBy Splunk Threat Research Team\r\nPublished: 2021-05-03 · Archived: 2026-04-06 01:37:19 UTC\r\nSplunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we\r\nno longer use. For more information on our updated terminology and our stance on biased language, please visit\r\nour blog post. We appreciate your understanding as we work towards making our community more inclusive for\r\neveryone.\r\nClop Ransomware has been active since 2019 and has been mostly associated with financially-driven criminal\r\ngroups. However, lately this ransomware payload has been observed in campaigns against universities and other\r\ninstitutions in the education vertical. Most recently, Clop Ransomware has been used in a cyberattack that\r\ndemanded one of the highest ransom amounts in recorded history ($20 million), and one of the particular items\r\nassociated with the actors behind the Clop Ransomware is blackmailing their victims through threatening to\r\npublish sensitive information exfiltrated from victims’ networks. Within this past month in April, we saw that Clop\r\nRansomware-related threats were persistent throughout the distinct variants used by several groups of organized\r\ncriminals and decided to focus our research efforts on Clop Ransomware detections. We hope that these detections\r\nwill help organizations detect abnormal behavior faster before it becomes detrimental. Watch this video to learn\r\nmore.\r\nDetection Searches for Clop Ransomware\r\nhttps://www.splunk.com/en_us/blog/security/clop-ransomware-detection-threat-research-release-april-2021.html\r\nPage 1 of 3\n\nAs we state in our blog, \"Detecting Clop Ransomware,\" the actors behind this crimeware send the malicious\r\npayloads via different methods, such as phishing emails, then proceed to spread ransomware payload post-exploitation by pivoting to exposed or related vulnerable systems. Although the actual developers of this\r\ncrimeware have not been identified yet, they have been tied to several financially-driven threat actors. They are\r\nalso known for leveraging public available vulnerabilities as entry and post-exploitation vectors.\r\nThe most common method behind this crimeware is as follows: once they have infiltrated their targets, they then\r\npresent instructions on how to pay ransom and communicate further threats of exposure by publishing the\r\nsensitive information they obtained on a publicly accessible website.\r\nSource *\r\nAlthough this may appear as a new modality, in reality ransomware is usually the cherry on top of the cake, as\r\nmalicious actors usually dwell, exfiltrate and qualify exfiltrated data, which eventually lands on dark web public\r\nforums, dark markets or private crime intelligence brokers where qualified financial, business and kompromat\r\ninformation is then priced and sold to the highest bidder.\r\nWe used our attack range tool to demonstrate and research how this malware payload infects and spreads once\r\nexecuted. A number of new searches has been created to address this threat:\r\nPlease see our blog \"Detecting Clop Ransomware\" for specific information about the events and SPL code\r\ninvolved in these detections. We also provide information about a Splunk Phantom playbook that can be used to\r\ndefend against this threat.\r\nWhy Should You Care?\r\nHaving the paid ransom amounts in recorded history ($20 million) and the fact that the Clop Ransomware actors\r\nare extremely opportunistic makes this a specially worrisome actor. The actors behind this crimeware are\r\nconstantly looking for vulnerable targets, and once they are able to infiltrate victims, they are driven by obtaining\r\nsensitive information which most likely will end up sold in a dark market.\r\nRansomware campaigns involving this payload will continue, as this group continuously targets different verticals\r\nit is important to prepare and understand the workings of these malicious payloads and prepare your environment\r\nin order to defend and be resilient against a ransomware attack. You can use our pre-packaged detections to help\r\nyour organization stay safe against these types of attacks.\r\nFor a full list of security content, check out the release notes on Splunk Docs:\r\n3.18.0 (Clop Story)\r\n3.19.0\r\nLearn More\r\nhttps://www.splunk.com/en_us/blog/security/clop-ransomware-detection-threat-research-release-april-2021.html\r\nPage 2 of 3\n\nYou can find the latest content about security analytic stories on GitHub and in Splunkbase. All of these detections\r\nare also now available via push update in Splunk Security Essentials.\r\nFeedback\r\nAny feedback or requests? Feel free to submitput in an i Issue on Github and we’ll follow up. You can also join us\r\non the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user\r\ngroups on Slack.\r\nSource: https://www.splunk.com/en_us/blog/security/clop-ransomware-detection-threat-research-release-april-2021.html\r\nhttps://www.splunk.com/en_us/blog/security/clop-ransomware-detection-threat-research-release-april-2021.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/clop-ransomware-detection-threat-research-release-april-2021.html"
	],
	"report_names": [
		"clop-ransomware-detection-threat-research-release-april-2021.html"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775441454,
	"ts_updated_at": 1775791470,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/572213dcb9682791ffd7b00646a7c756562b0722.pdf",
		"text": "https://archive.orkl.eu/572213dcb9682791ffd7b00646a7c756562b0722.txt",
		"img": "https://archive.orkl.eu/572213dcb9682791ffd7b00646a7c756562b0722.jpg"
	}
}