{ "id": "8ecbbd83-10c0-49a7-997e-94a246c88c5b", "created_at": "2026-04-06T00:10:56.212235Z", "updated_at": "2026-04-10T13:12:32.99058Z", "deleted_at": null, "sha1_hash": "a93172eb854d6166fb6b6635df587a0560ef18c3", "title": "Threat Assessment: Clop Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 621744, "plain_text": "Threat Assessment: Clop Ransomware\r\nBy Doel Santos\r\nPublished: 2021-04-13 · Archived: 2026-04-05 16:17:45 UTC\r\nExecutive Summary\r\nUnit 42 researchers have observed an uptick in Clop ransomware activity affecting the wholesale and retail,\r\ntransportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace,\r\ntelecommunications, professional and legal services, healthcare and high tech industries in the U.S., Europe,\r\nCanada, Asia Pacific and Latin America. Clop also leverages double extortion practices and hosts a leak site,\r\nwhere the number of victims has grown significantly since its launch in March 2020. Clop has been commonly\r\nobserved being delivered as the final-stage payload of a malicious spam campaign carried out by the financially\r\nmotivated actor TA505. This ransomware has also been linked to threat actors behind the recent global zero-day\r\nattacks on users of the Accellion File Transfer Appliance (FTA) product.\r\nDue to the surge of this malicious activity, we’ve created this threat assessment for overall threat awareness. Full\r\nvisualization of the techniques observed and their relevant courses of action can be viewed in the Unit 42 ATOM\r\nViewer.\r\nClop Ransomware Overview\r\nClop ransomware is a variant of a previously known strain called CryptoMix. In 2019, Clop was delivered as the\r\nfinal payload of a phishing campaign associated with the financially motivated actor TA505. The threat actors\r\nwould send phishing emails that would lead to a macro-enabled document that would drop a loader named Get2.\r\nThis loader can download different tools used by this group, such as SDBot, FlawedAmmy or FlawedGrace. After\r\nthe threat actors obtain the initial foothold on the system, they start employing reconnaissance, lateral movement\r\nand exfiltration techniques to prepare the ransomware deployment. SDBot has been observed delivering Clop as\r\nthe final payload.\r\nAfter the ransomware is executed, Clop appends the .clop extension to the victim's files. We have observed\r\ndifferent variants using different extensions, such as “.CIIp”, “.Cllp” and “.C_L_O_P”. Different versions of the\r\nransom note have also been observed after encryption. Depending on the variant, any of these ransom text files\r\ncould drop: “ClopReadMe.txt”, “README_README.txt”, “Cl0pReadMe.txt“ and “READ_ME_!!!.TXT”.\r\nThis ransomware includes various features to avoid detection. Observed Clop samples try to kill several processes\r\nand services related to backups and security solutions. It won’t execute if it detects it’s running in a virtual\r\nenvironment. Clop also leverages Code Signing to evade detection. We observed the use of two signers during our\r\nresearch, as shown below in Figure 1.\r\nhttps://unit42.paloaltonetworks.com/clop-ransomware/\r\nPage 1 of 5\n\nFigure 1. Observed Clop digital signers.\r\nClop went from being ransomware delivered through malicious spam to being used in targeted campaigns against\r\nhigh-profile companies. In recent events, Clop has been linked to threat actors who have been exploiting Accellion\r\nFile Transfer Appliance (FTA) vulnerabilities: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103 and CVE-2021-27104. The exploitation of these vulnerabilities led to the compromise of high-profile companies starting in\r\nFebruary. Additionally, there has been evidence of an affiliate using a webshell named DEWMODE that was\r\nbeing used to steal data from Accellion FTA devices. Not long after compromise, victims affected by DEWMODE\r\nbegan receiving emails from threat actors announcing the breach with an unique URL per victim to start\r\nnegotiation efforts. If ignored, the threat actors would reach out again with an ultimatum of releasing the data to\r\n“Cl0p^_-Leaks”.\r\nClop didn't have a leak site when it was first sighted back in February 2019. It was in March 2020 when the threat\r\nactors decided to launch a leak site titled, “Cl0p^_- Leaks” (Figure 2). This website is a Tor-based blog site, where\r\nvictims who don’t pay the ransom or ignore threats have their confidential data publicly exposed. The threat actors\r\nbehind Clop also leverage a variety of extortion techniques, such as targeting workstations of top executives,\r\n“doxxing” employees and advertising their breaches to reporters.\r\nFigure 2. Clop leak site and sample instructions delivered by Clop operators detailing how to\r\nimprove security posture and close security holes – for a price.\r\nhttps://unit42.paloaltonetworks.com/clop-ransomware/\r\nPage 2 of 5\n\nMore information on ransomware and victimology can be found in the 2021 Unit 42 Ransomware Threat Report.\r\nCourses of Action\r\nThis section documents relevant tactics, techniques and procedures (TTPs) used with Clop and maps them directly\r\nto Palo Alto Networks product(s) and service(s). It also further instructs customers on how to ensure their devices\r\nare configured correctly.\r\nProduct /\r\nService\r\nCourse of Action\r\nInitial Access, Exfiltration, Defense Evasion, Execution\r\nExploit Public-Facing Application [T1190], Exfiltration Over C2 Channel [T1041], Spearphishing\r\nAttachment [T1566.001], Code Signing [T1553.002], Windows Command Shell [T1059.003]\r\nNGFW\r\nEnsure application security policies exist when allowing traffic from an untrusted zone to a\r\nmore trusted zone\r\nEnsure 'Service setting of ANY' in a security policy allowing traffic does not exist\r\nEnsure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat\r\nIntelligence Sources Exists\r\nSet up File Blocking\r\nThreat\r\nPrevention†\r\nEnsure a Vulnerability Protection Profile is set to block attacks against critical and high\r\nvulnerabilities, and set to default on medium, low and informational vulnerabilities\r\nEnsure a secure Vulnerability Protection Profile is applied to all security rules allowing\r\ntraffic\r\nEnsure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'\r\nEnsure a secure antivirus profile is applied to all relevant security policies\r\nEnsure an anti-spyware profile is configured to block on all spyware severity levels,\r\ncategories and threats\r\nEnsure DNS sinkholing is configured on all anti-spyware profiles in use\r\nEnsure passive DNS monitoring is set to enabled on all anti-spyware profiles in use\r\nEnsure a secure anti-spyware profile is applied to all security policies permitting traffic to\r\nthe internet\r\nDNS Security† Enable DNS Security in Anti-Spyware profile\r\nURL Filtering† Ensure that URL Filtering is used\r\nhttps://unit42.paloaltonetworks.com/clop-ransomware/\r\nPage 3 of 5\n\nEnsure that URL Filtering uses the action of ‘block’ or ‘override’ on the \u003centerprise\r\napproved value\u003e URL categories\r\nEnsure that access to every URL is logged\r\nEnsure all HTTP Header Logging options are enabled\r\nEnsure secure URL Filtering is enabled for all security policies allowing traffic to the\r\ninternet\r\nWildFire†\r\nEnsure that WildFire file size upload limits are maximized\r\nEnsure forwarding is enabled for all applications and file types in WildFire file blocking\r\nprofiles\r\nEnsure a WildFire Analysis profile is enabled for all security policies\r\nEnsure forwarding of decrypted content to WildFire is enabled\r\nEnsure all WildFire session information settings are enabled\r\nEnsure alerts are enabled for malicious files detected by WildFire\r\nEnsure 'WildFire Update Schedule' is set to download and install updates every minute\r\nCortex\r\nXSOAR\r\nDeploy XSOAR Playbook - Isolate Endpoint - Generic\r\nDeploy XSOAR Playbook - Block IP\r\nDeploy XSOAR Playbook - Block URL\r\nDeploy XSOAR Playbook - Hunting and Threat Detection Playbook\r\nDeploy XSOAR Playbook - PAN-OS Query Logs for Indicators\r\nDeploy XSOAR Playbook - Phishing Investigation - Generic V2\r\nDeploy XSOAR Playbook - Endpoint Malware Investigation\r\nCortex XDR\r\nEnable Anti-Exploit Protection\r\nEnable Anti-Malware Protection\r\nDiscovery\r\nFile and Directory Discovery [T1083], Process Discovery [T1057]\r\nCortex XDR\r\nLook for the following BIOCs alerts to detect activity*:\r\nCortex XDR Analytics - Multiple Discovery Commands\r\nhttps://unit42.paloaltonetworks.com/clop-ransomware/\r\nPage 4 of 5\n\nImpact\r\nData Encrypted for Impact [T1486], Inhibit System Recovery [T1490], Service Stop [T1489]\r\nCortex\r\nXSOAR\r\nDeploy XSOAR Playbook - Ransomware Manual\r\nCortex XDR\r\nLook for the following BIOCs alerts to detect activity*:\r\nManipulation of Volume Shadow Copy configuration\r\nCortex XDR Agent - Behavioral Threat Detected\r\nTable 1. Courses of Action for Clop ransomware.\r\n†These capabilities are part of the NGFW security subscriptions service.\r\n* These analytic detectors will trigger automatically for Cortex XDR Pro customers.\r\nConclusion\r\nClop ransomware is a high-profile ransomware family that has compromised industries globally. Organizations\r\nshould be aware of SDBot, used by TA505, and how it can lead to the deployment of Clop ransomware. Like\r\nmany other current ransomware families, Clop hosts a leak site to create additional pressure and shame victims\r\ninto paying the ransom.\r\nIndicators associated with this Threat Assessment are available on GitHub, have been published to the Unit 42\r\nTAXII feed and are viewable via the ATOM Viewer.\r\nIn addition to the above courses of action, AutoFocus customers can review additional activity by using the tag\r\nClop.\r\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/clop-ransomware/\r\nhttps://unit42.paloaltonetworks.com/clop-ransomware/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/clop-ransomware/" ], "report_names": [ "clop-ransomware" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434256, "ts_updated_at": 1775826752, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a93172eb854d6166fb6b6635df587a0560ef18c3.pdf", "text": "https://archive.orkl.eu/a93172eb854d6166fb6b6635df587a0560ef18c3.txt", "img": "https://archive.orkl.eu/a93172eb854d6166fb6b6635df587a0560ef18c3.jpg" } }