Clop Ransomware: Overview, Working Style, and Preventive Measures

by Duocircle


Clop Ransomware was first discovered by Michael Gillespie in 2019. It’s a developing family of ransomware that encrypts all data in a company’s digital ecosystem, and hackers demand money to decrypt and give back access. The malware is packed covertly and smartly to hide its inner workings.

This developing ransomware has exploited MOVEit Transfer and MOVEit Cloud vulnerabilities to extort over $500 million from several enterprises, including multinational energy companies and at least two leading US universities. 


Defining Clop Ransomware

Clop is a Russian-speaking malicious actors’ gang. Clop Ransomware is a variant of CryptoMix Ransomware that they use to encrypt files by renaming them and appending the .clop extension. Its name is derived from the Russian word ‘Klop,’ which literally means ‘bed bug.’ Clop commonly targets data backups, financial records, emails, medical reports, vouchers, email lists, highly confidential files, etc.

It may also be used to disable Windows Defender and remove Microsoft Security Essentials to gain unauthorized access to a system.

Clop users avoid victims in former Soviet countries and don’t breach systems operating in Russia.


Operating Methods

Threat actors involve Clop in big phishing campaigns by sending emails containing malicious HTML attachments that take recipients to a macro-enabled document for covertly installing a loader named Get2. Get2 helps download other infected tools and programs like SDBOT, FlawedAmmyy, and Cobalt Strike

After gaining unauthorized access to the target’s system, the adversaries engage in reconnaissance, lateral movement, and exfiltration. Next, they use coercion tactics by sending negotiation emails to the target, threatening to publicize the compromised information if the demanded ransom is not paid within the time frame specified by them. There have been instances where the stolen data was leaked on websites like Cl0p_-Leaks.

Recent reports indicate that Clop has started using the TrueBot malware for network access. The loader utilized by the “Silence” hacker group, impacting over 1,500 systems globally in 2023, is linked to these activities.

Some of its recent variants are “CIIp,”. “Cllp,”.C_L_O_P,” “ClopReadMe.txt,” “README_README.txt,” “Cl0pReadMe.txt, “ and “READ_ME_!!.TXT.”


The Infamous Clop Ransomware Attack on the German Tech Giant- Software AG

German tech giant Software AG faced a ransomware attack on October 3, 2020, attributed to Clop Ransomware. The attackers demanded a $20 million ransom to prevent the publication of internal company data, including employees’ passports, health bills, and emails, and they also published a screenshot with a folder that had additional data potentially stolen from Software AG.



However, the company refused to pay the ransom, and consequently, the attackers began publishing internal information, including the personal details of Software AG’s CEO, Sanjay Brahmawar. The company officially disclosed the attack on October 5, referring to it as a “malware attack.” 

As per the spokesperson, the ransomware only hit the company’s internal network, while customer cloud services were safe and unaffected. The company had to shut down the internal systems to control the damage, which consequently affected operations at various levels.

As per the latest information, the recovery status remains unknown, and the company experienced technical issues a week later.


MOVEit Exploitation- 2023

In 2023, Clop attempted many detailed and complicated cyberattacks that empowered them to demand even higher ransom payments. Specifically, the group targeted data theft by exploiting a zero-day vulnerability in MOVEit Transfer, aiming to counter the overall decrease in ransom payments by seeking substantial amounts from their victims.

Throughout 2023, this Russian-speaking ransomware gang took credit for breaking into systems of big companies like BBC, British Airways, Estee Lauder, 1st Source, First National Bankers Bank (USA), Putnam Investments (USA), Landal Greenparks (Netherlands), Shell (UK), the New York City Department of Education, and Ernst & Young. 

 As of July 2023, it is estimated that the Clop Ransomware gang could potentially earn between $75-100 million from their extortion attacks exploiting the MOVEit Transfer vulnerability.

All these numbers and incidents are scary, underlining the importance of establishing and practicing stringent ransomware protection measures.


Protecting Your Businesses and Employees

Protecting against Clop Ransomware, like other ransomware variants, involves a combination of technical measures, phishing awareness training, and proactive security practices. Here are some preventive measures:


Regular Data Backups

Establish a proper system for backing up data and regularly test it to ensure it is working properly and that you can download high-quality backups. It’s suggested that you follow the 3-2-1 backup rule, according to which you need to maintain 3 copies of your data on 2 different storage media along with 1 offsite backup.


Update Software and Systems

Regular updates should include security patches as they address vulnerabilities discovered in software.  Additionally, software updates often include improvements in security features, bug fixes, and advancements in threat detection capabilities. Therefore, keeping software and systems up-to-date ensures that the latest security measures are in place, providing a stronger defense against potential Clop Ransomware attacks.



Employee Training

Make it a part of your onboarding and quarterly training to acquaint employees with the red flags of a ransomware attack. They should know the exact process of reporting these to the person or team in charge. Moreover, instill the practice of confirming unusual requests gotten through emails by calling or meeting the senders. This double-checking should be prioritized for sharing confidential details and transferring money.


Network Segmentation

Network segmentation means dividing your computer network into smaller and isolated segments so that attackers don’t get access to an extensive ecosystem. Segmentation also helps in managing systems in a more organized and effective manner from a cybersecurity point of view.

Common techniques used for network segmentation include the use of VLANs (Virtual Local Area Networks), firewalls, routers, and access controls. Implementation varies based on the organization’s specific needs, infrastructure, and security policies.


Email Filtering

Email filtering systems can detect incoming emails for malicious attachments or ransomware payloads and hence block their entry, preventing users from visiting sites that could lead to ransomware infections.

Advanced email filtering solutions use content analysis and behavioral pattern recognition to identify suspicious patterns in email content. This includes analyzing the language used, the structure of the email, and the sender’s behavior. 


Multi-Factor Authentication

Multi-factor authentication keeps your data safe even if your passwords are compromised. The additional security level measures include biometrics, OTPs, confirmation through notifications, etc.


Endpoint Protection

Endpoint protection solutions include anti-malware features that scan and analyze files and links to compare them with known Clop Ransomware signatures. Some endpoint protection solutions use the sandboxing method, which involves running suspicious files in a controlled environment to observe their behavior. If a file shows ransomware-like behavior in the sandbox, the endpoint protection system stops its execution and gets rid of it.


Image sourced from


By integrating the right phishing prevention measures and being vigilant, you can prevent most types of cybercrimes, including ransomware. The cyber threat landscape is ever-evolving, and CISOs must keep up.

Pin It on Pinterest

Share This