S0611: Clop
Clop is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. Clop is a variant of the CryptoMix ransomware.[1][2][3]
Analyst context for executives and security teams
Clop is a Windows ransomware family documented by ATT&CK and associated with activity across many industries. Its defensive significance is not just encryption: the mapped behaviors include discovery of processes, files, shares, security software, registry modification, abuse of command shell and msiexec, service stopping, recovery inhibition, tool impairment, and data encryption for impact. For leaders, this makes Clop a useful ransomware readiness benchmark: can the organization detect preparation, containment blockers, and recovery sabotage before encryption becomes a business-continuity event?
Executive priority
Prioritize Clop as a resilience and evidence-readiness use case for Windows environments. The key business questions are whether critical file shares are monitored, whether recovery mechanisms are protected from tampering, whether SOC teams can see service stops and security-tool degradation, and whether incident responders can quickly identify affected hosts and preserve audit-quality evidence. ATT&CK also relates Clop to TA505, a cyber criminal group known for ransomware campaigns involving Clop, so threat intelligence teams should treat it as relevant context without assuming attribution in any local incident.
Technical view
Validate coverage against the ATT&CK relationships rather than relying on a single ransomware signature. For Windows endpoints, test visibility for cmd.exe execution, msiexec.exe abuse, registry changes, process and file discovery, network share discovery, security software discovery, service stop activity, recovery-inhibition behavior, security tool modification, packed or obfuscated binaries, code-signing metadata, time-based anti-analysis checks, and high-volume file encryption patterns. Because ATT&CK provides no official detection text for this object, SOC teams should map local analytics to the related techniques and verify that logs survive tool tampering and service disruption.
Likely telemetry
- Windows endpoint process creation and command-line logs
- Msiexec execution and parent-child process relationships
- Registry modification events
- File and directory enumeration activity
- Network share and SMB access/enumeration telemetry
Detection direction
- Do not depend only on ransomware hash or signature matching; the object maps to packing, obfuscation, and code-signing-related defense evasion.
- Correlate discovery activity with later impact behaviors: process discovery, security software discovery, file/share enumeration, service stops, and recovery inhibition are more meaningful together than alone.
- Tune false positives for legitimate administration tools such as cmd.exe, reg, service control, and msiexec by baselining expected administrators, software deployment systems, paths, and timing.
- Confirm alerts still fire when security tools or logging agents are stopped, modified, or degraded.
- Use the TA505 relationship as threat-intelligence context, not as automatic attribution for any observed activity.
Mitigation priorities
- Harden and monitor Windows endpoints and servers that host business-critical files and shares.
- Protect backups and recovery features from endpoint-level tampering, and test restore procedures independently of production hosts.
- Restrict and monitor administrative utilities and living-off-the-land execution paths such as command shell, registry tools, service control, and msiexec where operationally feasible.
- Ensure endpoint security tooling, logging agents, and alert pipelines have tamper monitoring and operational health checks.
- Segment access to shared storage and critical services so discovery and encryption on one host does not automatically create enterprise-wide impact.
Analyst notes and limits
ATT&CK lists Clop as a Windows ransomware family and a CryptoMix variant first observed in February 2019, with cited reporting across retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. The most useful defensive value comes from the mapped techniques and the TA505 relationship, which together support ransomware preparedness, SOC validation, and incident-response planning.
No official ATT&CK detection guidance is provided for this object, and tactics are not specified on the malware object itself. Platform scope should be treated as Windows for Clop based on the supplied object, even though some related technique descriptions list additional platforms. Local telemetry, asset criticality, backup architecture, and control configuration are required to determine actual exposure or detection coverage.
Clop
Clop is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. Clop is a variant of the CryptoMix ransomware.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Clop can search for processes with antivirus and antimalware product names.CitationMcafee Clop Aug 2019CitationCybereason Clop Dec 2020 |
| Enterprise | T1489 | Service Stop | Clop can kill several processes and services related to backups and security solutions.CitationUnit42 Clop April 2021CitationMcafee Clop Aug 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Clop has used a simple XOR operation to decrypt strings.CitationMcafee Clop Aug 2019 |
| Enterprise | T1106 | Native API | Clop has used built-in API functions such as WNetOpenEnumW(), WNetEnumResourceW(), WNetCloseEnum(), GetProcAddress(), and VirtualAlloc().CitationMcafee Clop Aug 2019CitationCybereason Clop Dec 2020 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | Clop has used the |
| Enterprise | T1027.002 | Software Packing Sub-technique | Clop has been packed to help avoid detection.CitationMcafee Clop Aug 2019CitationCybereason Clop Dec 2020 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | Clop has checked the keyboard language using the GetKeyboardLayout() function to avoid installation on Russian-language or other Commonwealth of Independent States-language machines; it will also check the |
| Enterprise | T1083 | File and Directory Discovery | Clop has searched folders and subfolders for files to encrypt.CitationMcafee Clop Aug 2019 |
| Enterprise | T1057 | Process Discovery | Clop can enumerate all processes on the victim's machine.CitationMcafee Clop Aug 2019 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Clop can use cmd.exe to help execute commands on the system.CitationCybereason Clop Dec 2020 |
| Enterprise | T1553.002 | Code Signing Sub-technique | Clop can use code signing to evade detection.CitationUnit42 Clop April 2021 |
| Enterprise | T1112 | Modify Registry | Clop can make modifications to Registry keys.CitationCybereason Clop Dec 2020 |
| Enterprise | T1135 | Network Share Discovery | Clop can enumerate network shares.CitationMcafee Clop Aug 2019 |
| Enterprise | T1490 | Inhibit System Recovery | Clop can delete the shadow volumes with |
| Enterprise | T1486 | Data Encrypted for Impact | Clop can encrypt files using AES, RSA, and RC4 and will add the ".clop" extension to encrypted files.CitationMcafee Clop Aug 2019CitationUnit42 Clop April 2021CitationCybereason Clop Dec 2020 |
| Enterprise | T1685 | Disable or Modify Tools | Clop can uninstall or disable security products.CitationCybereason Clop Dec 2020 |
| Enterprise | T1218.007 | Msiexec Sub-technique | Clop can use msiexec.exe to disable security tools on the system.CitationCybereason Clop Dec 2020 |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5d5bb2e6bbae… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mcafee Clop Aug 2019
Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.
Open source URL -
[2]
Cybereason Clop Dec 2020
Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.
Open source URL -
[3]
Unit42 Clop April 2021
Santos, D. (2021, April 13). Threat Assessment: Clop Ransomware. Retrieved July 30, 2021.
Open source URL -
[4]
Clop
(Citation: Mcafee Clop Aug 2019)(Citation: Cybereason Clop Dec 2020)
-
[5]
mitre-attack S0611Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.