216.73.216.6

Clop

· Published 20/12/2025 08:54 · Modified 28/01/2026 15:52 · Source: Ransomware.Live

Essential information

Confidence
100/100
Published
20/12/2025 08:54
Modified
28/01/2026 15:52
Updated at
28/01/2026 15:52
Revoked
No
Author / Source
Ransomware.Live
Resource level
Primary motivation
Related entities
3 reports, 34 attack patterns (mitre), 41 malware, 26 sectors, 15 countries, 63 indicators, 21 vulnerabilities (cve), 4 organization

Description

The ransomware group known as Cl0p is a variant of a previously known strain dubbed CryptoMix. It is worth noting that this variant was delivered as the final payload in a phishing campaign in 2019 and was exclusively financially motivated, with attacks carried out by the threat actors TA505.<br> <br> At that time, malicious actors sent phishing emails that led to a macro-enabled document that would drop a loader called 'Get2.' After gaining an initial foothold in the system or infrastructure, the actors began using reconnaissance, lateral movement, and exfiltration techniques to prepare for the deployment of the ransomware.<br> <br> After the execution of the ransomware, Cl0p appends the extension '.clop' to the end of files, or other types of extensions such as '.CIIp, .Cllp, and .C_L_O_P,' as well as different versions of the ransom note that were also observed after encryption. Depending on the variant, any of the ransom text files were created with names like 'ClopReadMe.txt, README_README.txt, Cl0pReadMe.txt, and READ_ME_!!!.TXT.'<br> <br> The Clop operation has shifted from delivering its final payload via phishing and has begun initiating attacks using vulnerabilities that resulted in the exploitation and infection of victims' infrastructures.<BR>Source: https://github.com/crocodyli/ThreatActors-TTPs

Marking (TLP)

TLP:CLEAR

Labels

ransomware

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.