The “.CLOP” Ransomware Intel Report

Comprehensive community resource for the strain that appends “.clop” to every encrypted file and runs under the family name “Clop” (also tracked internally as “CryptoMix-CL0P” or “TA505 Clop”).

Technical Breakdown

1. File Extension & Renaming Patterns

Exact appended extension: .<original-extension>.CLOP
Example: Report_2024.docx becomes Report_2024.docx.CLOP
Unusually long tails: a small number of builds also append a second pseudo-extension such as .<16-byte-hex> before .CLOP (e.g., Report.docx.5fa3b7d210c3c3af.CLOP).
Recursive encryption: every file on fixed and removable drives is renamed once encryption is fully completed; shadow copies and VSS images are purged before renaming happens.

2. Detection & Outbreak Timeline

First cluster spotted: February 2019 (Russia-based underground forums).
Major global waves:
– April–May 2019 (Health-care + manufacturing)
– March–June 2020 (supply chain hit using Accellion FTA 0-day)
– December 2020–April 2021 (Shell infrastructure providers via SolarWinds-style DNS hijacking)
Takedown operation: National Hi-Tech Crime Unit of Ukraine + Interpol, 28 June 2021; arrests and hardware seizures. Several forks resurfaced mid-2022, but core signatures below remain valid.

3. Primary Attack Vectors

| Vector | Real-world examples | Notes |
|—|—|—|
| Exploit kits / Vuln RDP | BlueKeep (CVE-2019-0708), EternalBlue-y (MS17-010 patch missing), ProxyLogon (on-prem Exchange 2020 campaign) | Lateral scanning for 445, 3389, 135, 1433 open via Masscan. |
| Phishing / Spear-phish | ISO-with-PIF file, “Corona-Wage-Supplement” themes. | Initial loader is rEEEEE4.exe or runrun.exe preceding the main Clop DLL. |
| Software supply chain | Weaponized Accellion FTA appliance (CVE-2021-27101 | 27104). | 2020 O2 Germany & Qualys incidents. |
| Credential stuffing | Dictionary brute of public-facing RDP; after credential compromise, moves toolset over RDP-SMB share. | Once a domain-level account is captured, wmic.exe drops Clop DLL from a password-protected 7-zip hosted on temp.sh, sendspace.com, or attacker-controlled admin share. |

Remediation & Recovery Strategies

1. Prevention – Front-line Hotfixes

Patch aggressively:
❑ MS17-010 (EternalBlue),
❑ CVE-2019-0708 (BlueKeep),
❑ ProxyLogon 2021 Exchange path,
❑ PrintNightmare (2021).
Disable legacy protocols: SMBv1 globally, PowerShell v2 support, and RDP/RSS if unnecessary (or force NLA + RDG + MFA).
Network segmentation: Isolate DMZ from prod & backup networks via VLAN + host-based firewall denying 445/3378 between segments.
Application allow-listing: Use Microsoft Defender ASR rules & WDAC to block unsigned binaries, rundll32.exe spawning cmd.exe, LOLbins like certutil/curl.
Email gateway hygiene: Strip ISO, IMG, or EXE attachments, enforce S/MIME DKIM, and quarantine Office macro files from external senders.
Backup 3-2-1 rule: 3 copies on 2 different media with 1 immutable off-line/air-gapped (using object-lock like AWS S3 Object Lock or Veeam Hardened Repo).

2. Removal – Step-by-Step

(A) Disconnect infected machine from network > capture RAM if forensics required.
(B) Kill persistence & active processes:
– rundll32.exe <random>.dll,run (single mutex CL0PMUTEXSINGLE).
– Delete scheduled task: \Microsoft\Windows\ActiveSync\CLoP_Master.
(C) Boot into Safe Mode with Networking.
(D) Run reputable rootkit/AV scan:
– Sophos HitmanPro.Alert / Kaspersky Rescue Disk / Trend Micro HouseCall x64.
(E) Clean registry keys:
– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CL0P24
– HKLM\SYSTEM\CurrentControlSet\Services\CL0Pup
(F) Check LAPS & local admin group changes, remove rogue accounts.
(G) Wipe & rebuild for total assurance (recommended when multiple machines compromised).

3. File Decryption & Recovery

Official decryptor? ❌ There is no working free decryption tool for files touched by Clop following the 2021 takedown.
Possible exceptions:
– Files encrypted by weak sub-cluster “Cl0p-Offspring” in 2020 mistakenly re-used a known key (J6FQ7 GovHag4X BH$6NX7N). A proof-of-concept clop-cracker.py exists, but success is <4 % of observed samples.
– Accellion-specific incident (Dec-2020–Mar-2021): Threat actors leaked master DB archives that occasionally contain unencrypted copies; victims should search incident disclosure portals.
Recovery practices: Restore from offline immutable backups as the only reliable path. Validate restore integrity with ssdeep/md5deep hashing before re-integrating shares.
ESG bounty-led decryption? Law-enforcement seized servers retain ~440 GB of victim keys as part of 2021 Ukraine operation; affected enterprises should file decryptor requests via nomoreransom.org (channel “Kiev CP-12038”). Expect 3-6 month evaluation queue.

4. Other Critical Information

Ransom note: always plaintext file CL0P_README_{8-hex}.TXT with ransom note title “YOUR FILES ARE ENCRYPTED!”; two onion contact sites handled by actors “LolekHosted” & “Exploit[.]in OP5”.
Kill switch & mutex: Creates GLOBAL\CL0P_MUTEX_WINDOWSTUB on Windows; presence stops duplicate encryption (useful during IR to stall propagation).
Wiper switch: Certain affiliate builds (tagged hash 8007A90B) contain a --killswitch --remove argument that attempts to delete shadow-copies after key generation dialog → post-encryption data destruction risk if ransom unpaid early.
Broader industry impact: Over $500 M USD in head-line damages traced back to Clop between 2019-2021, notably attacks on Maersk & Antonov airlines. The tooling remains leveraged by Quantum / Conti-offshoots in multi-stage campaigns—hence any IOC overlap warrants cross-checking against updated YARA/firewall signatures.

Essential Tools & References (ZIPpable IR Kit)

Remember: Do NOT pay the ransom—there is no proof of decryption delivery post-payment after June-2021 takedown. Focus on secure, offline back-ups and engage law-enforcement for potential key retrieval.