CLOP Ransomware: Raising the Ransom Stakes

Airgap Networks
7 min readMar 24, 2021
CLOP targeted attacks

A new trend is emerging among ransomware groups where they prioritize stealing data from workstations used by top executives and managers in order to obtain “juicy” information that they can later use to pressure and extort a company’s top brass into approving large ransom payouts.

CLOP Ransomware gangs are prioritizing stealing data from workstations used by executives in the hopes of finding and using valuable information to use in the extortion process.

The group sifts through a manager’s files and emails, and exfiltrates data that they think might be useful in threatening, embarrassing, or putting pressure on a company’s management — the same people who’d most likely be in charge of approving their ransom demand days later.

CLOP was discovered the new ransomware in 2019, and it is still improving over time. CLOP’s main purpose is to encrypt all files in an enterprise and request a payment to receive a decryptor to decrypt all the affected files.

CLOP is distributed via fake software updates, trojans, unofficial software download sources, and spam emails. In the recent attack on an Indian organization, it is suspected that a bug in the Citrix Netscaler ADC VPN gateway was used to carry out the attack. Unfortunately, as of now, no decryptor tool is available for CLOP ransomware[1].

After CLOP infects a PC, this ransomware leaks information if the negotiation deal of ransom fails. Recently the threat actors behind CLOP have stolen and encrypted the sensitive information of various organizations. After ransom payment failure, the stolen information was leaked on their “CL0P^_- LEAKS” data leak site, hosted on the dark web[2]. The leaked information includes data backups, financial records, thousands of emails and vouchers, etc.

CLOP ransomware uses RSA (Rivest-Shamir- Adleman) encryption algorithm, and generated keys are stored on a remote server controlled by CLOP operators. The Updated versions of CLOP have tried to expand their attack vectors by disabling and removing local security solutions such as Windows Defender and Microsoft Security Essentials. This ransomware has the capability of installing additional password-stealing Trojans and other malware infections[3].

CLOP ransomware belongs to the CryptoMix ransomware family. The ransom note indicates that the attackers are targeting an entire network rather than an individual computer. CLOP ransomware uses similar processes to Maze and Revil to steals data before encrypting the company systems. Even if the company refuses to give the ransom, the operators behind them can still profit by selling the taken data on Dark Web markets.

Technical Details

CLOP ransomware‘s executable code is distributed with legitimate digital signatures. So, the code looks more reliable and may help to bypass some security solutions.

After execution, CLOP will try to search for specific strings to stop specific Windows services and processes to disable antivirus software.

Some other programs are also stopped by CLOP, including new Windows 10 apps, popular text editors, debuggers, programming languages, terminal programs, and programming IDE software. CLOP attackers are using a batch script to delete Volume Shadow Copy, resize Volume Shadow Copy to avoid its recovery, and disable the boot process’s recovery option.

The ransomware encrypts files and appends.CLOP or.CIOP extension to the encrypted file’s name and creates a ransom note named “CIopReadMe.txt”. Like the ransomware scenario, CLOP attackers are also publishing users’ data on the dark web for sale.

Usage of DNS Fast Flux Attack

There is some thought that the Russian TA505 group may be the primary threat actor behind the CLOP attacks. TA505 also goes by the name Hive00656. Upon closer review of the MITRE ATT&CK, it can be found that they had used fast flux to mask botnets by spreading payloads across multiple IPs. The specific technique in MITRE ATT&CK is Enterprise T1568.001.

Per MITRE, “Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it, which are swapped with high frequency, using a combination of round-robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.”[4]

The simplest, “single-flux” process involves registering and deregistering addresses as a section of the DNS A (address) record list for a single DNS name. These registrations have a five-minute usual lifespan, resulting in a constant shuffle of IP address resolution. In opposition, the “double-flux” method registers and de-registers an address as a portion of the DNS Name Server record list for the DNS zone, presenting additional resilience for the connection. With double-flux, added hosts can act as a proxy to the C2 host, further insulating the actual source of the C2 channel.[5]

Several threat researchers have tied TA505 to CLOP deployment. As of today, MITRE ATT&CK does not display in the TA505 group profile that the threat group uses CLOP ransomware, so, once again, this connection is under investigation and review as the white hats continue to track CLOP activity worldwide.

Recent attacks by CLOP ransomware

CLOP ransomware operators have been targeting various organizations at a steady pace since mid-2019, mostly using social engineering and malicious spam emails as attack vectors.

1. The CLOP ransomware gang hit the network of German enterprise software giant Software AG recently, asking for a ransom of $23 million after stealing employee information and company documents. Software AG is a software company headquartered in Darmstadt, Germany, with more than 5,000 employees and operations in over 70 countries around the globe[6].

2. The Indian conglomerate, which has subsidiaries in the personal finance, housing, and lending, infrastructure, and pharmaceuticals domain, was affected by a cyberattack by CLOP ransomware, recently. After the attack, the CLOP threat actors uploaded screenshots of six taken files on their ‘CL0P^_- LEAKS’ data leak site, with the message of “Contact us in 24H.” The documents involved vouchers, reports, and some spreadsheets linked to the subsidiary companies Indiabulls Pharmaceuticals and Indiabulls Housing Finance Limited. It is assumed (but not confirmed) that the hackers used a bug in the Citrix Netscaler ADC VPN gateway to carry out the attack[7].

3. In April 2020, CLOP ransomware had leaked the files stolen from ExecuPharm, the US-based pharmaceutical company, after ransom negotiations allegedly failed. Attackers had stolen 163 GB worth of financial, accounting, and employees’ documents, as well as SQL backups[8].

4. In March 2020, the CLOP ransomware operators had targeted UK-based EV Cargo Logistics and leaked the data after the ransom demand was not fulfilled. The data included sensitive files, including network drive passwords, client information, financial summary, etc[9].

Preventive & Corrective Actions

Some of the most known counter measurements to prevent CLOP includes:

- Employ content scanning and filtering on the organization’s mail servers. Inbound e-mails should be scanned for known threats and should block any attachment types that could pose a threat.

- Ensure all systems and software are up-to-date with relevant security patches.

- Turn off file sharing if not required. If file sharing is required, use ACLs and password protection to restrict access. Disable anonymous access to shared folders. Award access only to user accounts with strong passwords to folders that must be shared.

- Limit the number of third-party vendors and employees with access to RDP connections and create a user group that will be permitted remote access.

- Use strong passwords and multi-factor authentication on Remote Desktop.

Airgap Defense: Airgap’s Zero Trust Isolation technology blocks all unauthorized movement within the corporate environment.

The CLOP ransomware attack group is not alone in taking this new tack of publishing stolen data to incentivize ransom payments. Since April this year, about two dozen threat actors have put up similar data leak sites that have proclaimed stolen data after a ransom demand was not paid. These groups also serve to be those that target larger organizations and make larger ransom demands.

This latest trend has greatly complicated the ransomware defense picture. Companies now face downtime and data loss and the threat of disclosure of confidential information and data breach fines for failure to guard personal information.

Airgap Defense: Airgap prevents any lateral scanning attempt. If under Zero Trust, an intruder breaches the perimeter controls, compromises a misconfiguration, or bribes an insider, they will have extremely restricted access to sensitive data, and safety measures would be in place to identify and respond to suspicious data access before it becomes a threat.

About Airgap Networks

Ransomware threats are growing rapidly. While there are a whole bunch of security companies that are trying to prevent ransomware from getting into your network, Airgap’s “Zero Trust Isolation Platform” protects your organization even if your perimeter is breached or if you have unpatched vulnerable servers inside your data center. Additionally, Airgap’s “Ransomware Kill Switch” is the most potent ransomware response for the IT organization. Airgap can be deployed in minutes without any agents, forklift upgrades, or design changes. The company is founded by highly experienced cybersecurity experts and the solution is trusted by large enterprises and service providers. For more details, check out













Airgap Networks

Zero Trust Isolation — The Best Defense Against Ransomware Propagation.