{ "id": "1ab1d697-c922-4443-9159-d566d8354807", "created_at": "2026-04-06T00:06:36.557287Z", "updated_at": "2026-04-10T03:36:36.762747Z", "deleted_at": null, "sha1_hash": "5aac30242f709bea163a20909587ca549e5bfbb2", "title": "malware-notes/Ransomware/Clop.md at master · albertzsigovits/malware-notes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 69788, "plain_text": "malware-notes/Ransomware/Clop.md at master ·\r\nalbertzsigovits/malware-notes\r\nBy albertzsigovits\r\nArchived: 2026-04-05 19:08:29 UTC\r\nSHA256 hashes\r\n6d115ae4c32d01a073185df95d3441d51065340ead1eada0efda6975214d1920\r\n6d8d5aac7ffda33caa1addcdc0d4e801de40cb437cf45cface5350710cde2a74\r\n70f42cc9fca43dc1fdfa584b37ecbc81761fb996cb358b6f569d734fa8cce4e3\r\na5f82f3ad0800bfb9d00a90770c852fb34c82ecb80627be2d950e198d0ad6e8b\r\n85b71784734705f6119cdb59b1122ce721895662a6d98bb01e82de7a4f37a188 (unpacked)\r\nReferences\r\nhttps://twitter.com/demonslay335/status/1093917007379087360\r\nhttps://twitter.com/GossiTheDog/status/1210588988265943046\r\nhttps://twitter.com/0x10000000/status/1103607518184390656\r\nhttps://twitter.com/darb0ng/status/1210047075812954112\r\nhttps://twitter.com/darb0ng/status/1199209654661738496\r\nhttps://twitter.com/VK_Intel/status/1157742218549039105\r\nhttps://twitter.com/VK_Intel/status/1162810558774747137\r\nhttps://twitter.com/VK_Intel/status/1210067407806570496\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-hits-maastricht-university-all-systems-taken-down/\r\nTargets\r\nMaastricht University (UM) - The Netherlands\r\nNotes\r\nTA505\r\nClop filemarker: Clop^_-\r\nRansom extension: .clop or .CIop\r\nRansom note: ClopReadMe.txt or CIopReadMe.txt (https://pastebin.com/rHQ8gzD9)\r\nRansom e-mails:\r\nservicedigilogos@protonmail.com\r\nmanagersmaers@tutanota.com\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md\r\nPage 1 of 4\n\nunlock@eqaltech.su\r\nunlock@royalmail.su\r\nunlock@goldenbay.su\r\nunlock@graylegion.su\r\nkensgilbomet@protonmail.com\r\nUsing RSA 1024-bit public key\r\nThen encrypts files with RC4 using 117 bytes of the public key\r\nOther version uses Mersenne Twister algorithm\r\nTries to uninstall ESET AV by grepping ProductCode from callback.log file:\r\ncmd.exe \"/C MSIEXEC /x 'ESET ProductCode' /qb\"\r\nUninstalls MSC:\r\ncmd.exe /C \"C:\\Program Files\\Microsoft Security Client\\Setup.exe\" /x /s\r\nOther version checks for MalwareBytes, Webroot, Panda\r\nInteresting API call: OpenPrinterW(L\"KJFk23983ruafbuyTHFNIO#wu\", 0, 0);\r\nSigned with valid certificate\r\nCheck local language via GetKeyboardLayout against hardcoded list: Georgian, Russian, Azerbaijan\r\nAV evasion\r\nTries to disable Windows Defender\r\ncmd.exe /C reg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v \"DisableBehavior\r\ncmd.exe /C reg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v \"DisableOnAccessP\r\ncmd.exe /C reg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v \"DisableRealtimeM\r\ncmd.exe /C reg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\" /v \"SubmitSamplesConsent\" /t REG_D\r\ncmd.exe /C reg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\" /v \"DisableScanOnRea\r\ncmd.exe /C reg add \"HKLM\\Software\\Microsoft\\Windows Defender\\Features\" /v \"TamperProtection\" /t REG_DWORD /d \"0\"\r\ncmd.exe /C reg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\" /v \"DisableAntiSpyware\" /t REG_DWORD /d \"\r\ncmd.exe /C reg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\MpEngine\" /v \"MpCloudBlockLevel\" /t REG_DW\r\ncmd.exe /C reg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\" /v \"SpynetReporting\" /t REG_DWORD\r\nTries to uninstall MalwareBytes\r\ncmd.exe /c \\\"C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Ransomware\\\\unins000.exe\\\" /verysilent /suppressmsgboxes /no\r\nSeen resources:\r\nRC_DATAMAKEMONEY\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md\r\nPage 2 of 4\n\nRC_DATABIGBACK\r\nSeen mutexes:\r\nFFRRTTOOOTTPPWWZZZLLSS^_-\r\nMakeMoneyFromAirEathWorld#666Go\r\nBestChangeT0pMoney^_-666\r\nRansom note:\r\nYour network has been penetrated.\r\nAll files on each host in the network have been encrypted with a strong algorithm.\r\nBackups were either encrypted or deleted or backup disks were formatted.\r\nShadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.\r\nWe exclusively have decryption software for your situation\r\nNo decryption software is available in the public.\r\nDO NOT RESET OR SHUTDOWN – files may be damaged.\r\nDO NOT RENAME OR MOVE the encrypted and readme files.\r\nDO NOT DELETE readme files.\r\nThis may lead to the impossibility of recovery of the certain files.\r\nPhotorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly.\r\nIf you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encry\r\n(Less than 5 Mb each, non-archived and your files should not contain valuable information\r\n(Databases, backups, large excel sheets, etc.)).\r\nYou will receive decrypted samples and our conditions how to get the decoder.\r\n \r\nAttention!!!\r\nYour warranty - decrypted samples.\r\nDo not rename encrypted files.\r\nDo not try to decrypt your data using third party software.\r\nWe don`t need your files and your information.\r\n \r\nBut after 2 weeks all your files and keys will be deleted automatically.\r\nContact emails:\r\nservicedigilogos@protonmail.com\r\nor\r\nmanagersmaers@tutanota.com\r\n \r\nThe final price depends on how fast you write to us.\r\n \r\nClop\r\nYara rules\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md\r\nPage 3 of 4\n\nrule clop_ov_carosig\r\n{\r\n meta:\r\n author = \"Albert Zsigovits\"\r\n family = \"Clop ransomware\"\r\n \r\n condition:\r\n new_file and (signatures matches /.*Clop.*/)\r\n}\r\nSource: https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md\r\nhttps://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md" ], "report_names": [ "Clop.md" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433996, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5aac30242f709bea163a20909587ca549e5bfbb2.pdf", "text": "https://archive.orkl.eu/5aac30242f709bea163a20909587ca549e5bfbb2.txt", "img": "https://archive.orkl.eu/5aac30242f709bea163a20909587ca549e5bfbb2.jpg" } }