Clop (cl0p): What You Need to Know

The Clop ransomware group

Clop (also known as Cl0p) is an extortionist ransomware-type malware that originated in 2019 and operates on the Ransomware-as-a-Service (RaaS) model. It is a variant of the CryptoMix ransomware family and there have been several improved versions of the malware.

How it works

Examining the ransomware itself, cl0p is a Win32 PE file that is distributed using executables that have been digitally signed by a verified signer—which makes it appear more legitimate, helping it bypass security software detection. Once the ransomware strain infiltrates the system, it then attempts to disable Windows Defender and remove the Microsoft Security Essentials.

For the last two years, the ransomware gang has stayed outside the spotlight ever since their high-profile attack on Accellion, which led to the arrest of six of their operators at the hands of the Ukrainian government. However, the group has made significant impacts on the cyber threat landscape.

Cl0p ransomware TTPs

Since their origination in 2019, Flashpoint has observed the ransomware group use several tools in their digital arsenal. The ransomware gang has used DDoS attacks and various phishing tactics to infect target organizations with their ransomware strain. However, cl0p has recently leveraged potent vulnerability exploits to gain notoriety.

Notable ransomware attacks

In 2023, Clop made headlines leveraging two vulnerability exploits against their victims: GoAnywhere MFT and MOVEit. We’ve previously examined the full details of both of these attacks, and both data compromise events resulted in hundreds of victims being listed on the clop ransomware leak site.