{ "id": "6f645d30-a45a-4e24-924b-adb1e1852f7f", "created_at": "2026-04-06T00:18:33.611171Z", "updated_at": "2026-04-10T03:36:36.773074Z", "deleted_at": null, "sha1_hash": "6fb566d6aa0588fa8096b24877797483cc4a791b", "title": "Cybereason vs. Cl0p Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1418532, "plain_text": "Cybereason vs. Cl0p Ransomware\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-02 12:32:49 UTC\r\nIn the past months, the Cybereason Nocturnus team has been tracking the activity of the Cl0p ransomware, a variant of\r\nCryptoMix ransomware. The name “clop” comes from Russian or Bulgarian, and means “bug”.\r\nKey Findings\r\nEvolving Threat: TA505 have evolved their attack tactics, delivering Cl0p ransomware as the final payload on as many\r\nsystems as possible in order to pressure the victim to pay the ransom - non-paying Cl0p victims’ data is being published on\r\nthe Cl0p leaks site\r\nMulti-Staged Attack: Before deploying Cl0p, two prior payloads are deployed to allow the attackers to move laterally\r\nwithin the compromised network before downloading and deploying the Clop ransomware.\r\nHigh Severity: The Cybereason Nocturnus Team assesses the threat level as HIGH given the destructive potential of the\r\nattacks.\r\nDetected and Prevented: The Cybereason Defense Platform fully detects and prevents the Cl0p ransomware.\r\nBackground\r\nIn 2019, the TA505 threat actor started delivering Cl0p as their final payload. TA505 is a well known sophisticated\r\ncybercrime threat actor, attacking various sectors for financial gain.\r\nIn 2019, the TA505 group changed their main strategy into encrypting assets in a corporate network and demanding a\r\nBitcoin ransom for the decryption key.\r\nA more recent Cl0p attack was against AG, a large German software company. Their internal network was breached, and the\r\nattackers demanded more than $20 million ransom. In another case, the group attacked a South Korean retailer, demanding\r\n$40 million ransom this time, and threatening to leak 2 million cards in case the negotiation fails.\r\nMoreover, the group maintains a site where they leak data of victims who did not pay the ransomware:\r\nA Screenshot from the Cl0p leaks website\r\nhttps://www.cybereason.com/blog/cybereason-vs.-clop-ransomware\r\nPage 1 of 6\n\nThe infection chain is as follows, and depicted below: First of all, when a malspam campaign is launched, emails are sent to\r\nvictims from compromised accounts, thus increasing their credibility. The emails contain an HTML attachment that redirects\r\nto a compromised website. \r\nIt then delivers a document containing a malicious macro that drops the Get2 loader. Get2 downloads and executes SDBbot,\r\nFlawedGrace or FlawedAmmy. In this scenario, SDBbot moves laterally within the compromised network, exfiltrates data,\r\nand finally downloads and deploys the Cl0p ransomware on as many systems as possible:\r\nThe Cl0p attack tree\r\nCl0p Ransomware Analysis\r\nThe Cl0p ransomware is initially packed and compressed. It unpacks a shellcode to resolve several APIs such as\r\nGetProcAddress and VirtualAlloc:\r\nThe shellcode responsible for loading the compressed PE\r\nThe shellcode then allocates memory and writes an aPLib compressed PE. It can be recognized by the first bytes, M8Z:\r\nThe compressed PE as seen in memory\r\nOnce the unpacked and decompressed payload is revealed, Cl0p has some indicative mutexes in its variants. After creating\r\nthe mutex, BestChangeT0p^_-666 in this case, Cl0p searches for various security products installed on the victim’s machine,\r\nand uninstalls or disables them if necessary to avoid being detected or terminated:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-clop-ransomware\r\nPage 2 of 6\n\nDisabling Malwarebytes’ Anti-Ransomware notifications\r\nIn the example above, Cl0p searches for Malwarebytes anti ransomware protection and disables its notifications so the user\r\nwill not be alerted. Below, if an ESET product is detected, it will be uninstalled using the command line: \r\nUninstalling an ESET Security product\r\nOther newer variants disable Windows defender through silent command line modification of registry keys, and is also\r\nuninstalling the Microsoft Security Essentials client. Cybereason detects the malicious sample execution together with all of\r\nthe listed commands:\r\nDisabling Windows Defender as seen in the Cybereason attack tree\r\nOne of the Cl0p variants encrypts the files by generating an RSA public key, retrieving its first 127 bytes and using them as\r\nthe RC4 key, adding the Cl0p^_- header and the RC4 encrypting it again. Once the files are encrypted, the Cl0p extension\r\nwill be added to each encrypted file:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-clop-ransomware\r\nPage 3 of 6\n\nA file encrypted by Cl0p together with the ransom note\r\nIn addition, a ransomware note is placed in the folder:\r\nCl0p’s ransom note content\r\nCybereason Detection and Prevention\r\nThe analyzed sample below, a newer variant of Cl0p, disables Windows Defender in the beginning of its execution.\r\nCybereason detects the malicious commands executed to silently modify related registry keys:\r\nWindows Defender registry keys modification as seen in Cybereason\r\nWhen Cybereason anti-ransomware prevention is turned on, the execution of the sample is successfully prevented: \r\nPrevention of Cl0p’s execution in Cybereason\r\nIndicators of Compromise\r\nIOC Type Description\r\n08576e51a724bdc648c40e0dfe3c12a61e7517ca SHA1 Clop executable\r\nhttps://www.cybereason.com/blog/cybereason-vs.-clop-ransomware\r\nPage 4 of 6\n\n8e56837e4d748eceb991aabd8f5a7f3c874f7010\r\nfb66c66cd8fa805394ec7b2253238dfee89b2964\r\nccd147cea99c1b2e15f193a761f7a5be8da850e8\r\n16f48624ea2a575e1bdceb4ac6151d97d4de80b6\r\n2d92a9ec1091cb801ff86403374594c74210cd44\r\nab265e2897c3befea9e37b5d8b06d8afd48b0fa6\r\nfdd274aeb22c1b8ade68b02c50f9fead0395ea64\r\n2b44afeb746cef483929fb04f15479083ce71323\r\nb020dbb06b2689d325e5e89fe3a66c1af7cd1597\r\n9d97ae1a629fe2ed0ce750d1da1513c5dbf9cf8b\r\n18281511117e39d2dc0546f110ec3aa922ea4340\r\ne4fdc793161403a19de938288fa261b34e0444c0\r\n0a7ab8cc60b04e66be11eb41672991482b9c0656\r\na6ae538be9407352f1e182ec38ad3c0b5277c8fc\r\nMITRE ATT\u0026CK BREAKDOWN\r\nInitial Access Persistence\r\nPrivilege\r\nEscalation\r\nDefense\r\nEvasion\r\nReconnaissance\r\nLateral\r\nMovement\r\nExfiltration Impact C\u0026C E\r\nSpearphishing\r\nAttachment\r\nRegistry\r\nRun Keys /\r\nStartup\r\nFolder\r\nValid\r\nAccounts\r\nImpair\r\nDefenses:\r\nDisable\r\nor\r\nModify\r\nTools\r\nGather Victim\r\nNetwork\r\nInformation\r\nRemote\r\nServices\r\nExfiltration\r\nOver Web\r\nService\r\nData\r\nEncrypted\r\nfor\r\nImpact\r\nWeb\r\nProtocols\r\nM\r\nSpearphishing\r\nLink\r\n     \r\nPhishing for\r\nInformation\r\n \r\nExfiltration\r\nOver C2\r\nChannel\r\n \r\nEncrypted\r\nChannel\r\nM\r\nDomain\r\nAccounts\r\n                Ja\r\nDaniel Frank \r\nDaniel Frank is a senior Malware Researcher at Cybereason. Prior to Cybereason, Frank was a Malware Researcher in F5\r\nNetworks and RSA Security. His core roles as a Malware Researcher include researching emerging threats, reverse-engineering malware and developing security-driven code. Frank has a BSc degree in information systems.\r\nhttps://www.cybereason.com/blog/cybereason-vs.-clop-ransomware\r\nPage 5 of 6\n\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and\r\nenterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies,\r\nreverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first\r\nto release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware\r\nhttps://www.cybereason.com/blog/cybereason-vs.-clop-ransomware\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware" ], "report_names": [ "cybereason-vs.-clop-ransomware" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434713, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6fb566d6aa0588fa8096b24877797483cc4a791b.pdf", "text": "https://archive.orkl.eu/6fb566d6aa0588fa8096b24877797483cc4a791b.txt", "img": "https://archive.orkl.eu/6fb566d6aa0588fa8096b24877797483cc4a791b.jpg" } }