TLP Clear HC3 Analyst Report: Clop Ransomware – January 4, 2023

Executive Summary

Clop operates under the Ransomware-as-service (RaaS) model, and it was first observed in 2019. Clop was a highly used ransomware in the market and typically targeted organizations with a revenue of $5 million U.S. Dollars (USD) or higher. Since its appearance, HC3 is aware of attacks on the Health and Public Health (HPH) sector. The HPH sector has been recognized as being a highly targeted industry for the Clop ransomware.


Clop ransomware, also written as Cl0p, was first observed in February 2019 and the operators have seen very large payouts of up to $500 million USD. Clop is the successor of the CryptoMix ransomware, which is believed to have been developed in Russia and is a popular payload for groups such as FIN11 and other Russian affiliates. Like most ransomware groups, financial gain appears to be their primary goal, which they leverage through the use of the double extortion model. Through this technique the threat actor will encrypt and exfiltrate sensitive information. Sensitive data will be released on their dark web leak site if payment is not made. This model is used so the actor can have additional leverage to help collect a ransom payment.

The appearance of Clop ransomware was expected to decline in 2021 after the arrest of six ransomware operators. However, the malware continued to have non-stop activity through 2022. Additionally, it has been observed to be a potential payload from the downloader malware, TrueBot. Clop is designed to have not only have anti-analysis capabilities but also anti-virtual machine analysis to help prevent further investigations in an emulated environment.

Clop was written to target Windows systems, and some reporting samples showcase that it is a Win32 executable written in C++. The executable packet is compressed, which helps hide its functionality. The ransomware encrypts files with an RSA 1024-bit public key with RC4 that uses 117 bytes of the public key. Phishing emails have been a primary initial access vector for Clop, but reports have shown that it also exploits the following Common Vulnerabilities and Exposures (CVE): CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104, and CVE-2021-35211.

Once a network has been compromised, they have been observed to use remote desktop protocols and deploying Cobalt Strike to aid in lateral movement. Finally, after encryption is complete, the victim will be able to access a dropped README.TXT, and the encrypted file’s extension will be changed to ‘Clop’. In the ransom note, it states that the Shadow Volume Copies have been deleted and the decryption key is only available from the group, along with claiming that all the files will be deleted after two weeks have passed.

View the detailed report below. 

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

National Advisor for Cybersecurity and Risk, AHA

(O) +1 202 626 2272