Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0611: Clop

Clop is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. Clop is a variant of the CryptoMix ransomware.[1][2][3]

EnterpriseS0611MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Clop is a Windows ransomware family documented by ATT&CK and associated with activity across many industries. Its defensive significance is not just encryption: the mapped behaviors include discovery of processes, files, shares, security software, registry modification, abuse of command shell and msiexec, service stopping, recovery inhibition, tool impairment, and data encryption for impact. For leaders, this makes Clop a useful ransomware readiness benchmark: can the organization detect preparation, containment blockers, and recovery sabotage before encryption becomes a business-continuity event?

Executive priority

Prioritize Clop as a resilience and evidence-readiness use case for Windows environments. The key business questions are whether critical file shares are monitored, whether recovery mechanisms are protected from tampering, whether SOC teams can see service stops and security-tool degradation, and whether incident responders can quickly identify affected hosts and preserve audit-quality evidence. ATT&CK also relates Clop to TA505, a cyber criminal group known for ransomware campaigns involving Clop, so threat intelligence teams should treat it as relevant context without assuming attribution in any local incident.

Technical view

Validate coverage against the ATT&CK relationships rather than relying on a single ransomware signature. For Windows endpoints, test visibility for cmd.exe execution, msiexec.exe abuse, registry changes, process and file discovery, network share discovery, security software discovery, service stop activity, recovery-inhibition behavior, security tool modification, packed or obfuscated binaries, code-signing metadata, time-based anti-analysis checks, and high-volume file encryption patterns. Because ATT&CK provides no official detection text for this object, SOC teams should map local analytics to the related techniques and verify that logs survive tool tampering and service disruption.

Likely telemetry

  • Windows endpoint process creation and command-line logs
  • Msiexec execution and parent-child process relationships
  • Registry modification events
  • File and directory enumeration activity
  • Network share and SMB access/enumeration telemetry

Detection direction

  • Do not depend only on ransomware hash or signature matching; the object maps to packing, obfuscation, and code-signing-related defense evasion.
  • Correlate discovery activity with later impact behaviors: process discovery, security software discovery, file/share enumeration, service stops, and recovery inhibition are more meaningful together than alone.
  • Tune false positives for legitimate administration tools such as cmd.exe, reg, service control, and msiexec by baselining expected administrators, software deployment systems, paths, and timing.
  • Confirm alerts still fire when security tools or logging agents are stopped, modified, or degraded.
  • Use the TA505 relationship as threat-intelligence context, not as automatic attribution for any observed activity.

Mitigation priorities

  • Harden and monitor Windows endpoints and servers that host business-critical files and shares.
  • Protect backups and recovery features from endpoint-level tampering, and test restore procedures independently of production hosts.
  • Restrict and monitor administrative utilities and living-off-the-land execution paths such as command shell, registry tools, service control, and msiexec where operationally feasible.
  • Ensure endpoint security tooling, logging agents, and alert pipelines have tamper monitoring and operational health checks.
  • Segment access to shared storage and critical services so discovery and encryption on one host does not automatically create enterprise-wide impact.
Analyst notes and limits

ATT&CK lists Clop as a Windows ransomware family and a CryptoMix variant first observed in February 2019, with cited reporting across retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. The most useful defensive value comes from the mapped techniques and the TA505 relationship, which together support ransomware preparedness, SOC validation, and incident-response planning.

No official ATT&CK detection guidance is provided for this object, and tactics are not specified on the malware object itself. Platform scope should be treated as Windows for Clop based on the supplied object, even though some related technique descriptions list additional platforms. Local telemetry, asset criticality, backup architecture, and control configuration are required to determine actual exposure or detection coverage.

Official MITRE ATT&CK definition

Clop

Clop is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. Clop is a variant of the CryptoMix ransomware.[1][2][3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

17 rows
Domain ID Name Relationship / procedure
Enterprise T1518.001 Security Software Discovery Sub-technique

Clop can search for processes with antivirus and antimalware product names.[1][2]
Enterprise T1489 Service Stop

Clop can kill several processes and services related to backups and security solutions.[3][1]
Enterprise T1140 Deobfuscate/Decode Files or Information

Clop has used a simple XOR operation to decrypt strings.[1]
Enterprise T1106 Native API

Clop has used built-in API functions such as WNetOpenEnumW(), WNetEnumResourceW(), WNetCloseEnum(), GetProcAddress(), and VirtualAlloc().[1][2]
Enterprise T1497.003 Time Based Checks Sub-technique

Clop has used the sleep command to avoid sandbox detection.[3]
Enterprise T1027.002 Software Packing Sub-technique

Clop has been packed to help avoid detection.[1][2]
Enterprise T1614.001 System Language Discovery Sub-technique

Clop has checked the keyboard language using the GetKeyboardLayout() function to avoid installation on Russian-language or other Commonwealth of Independent States-language machines; it will also check the GetTextCharset function.[1]
Enterprise T1083 File and Directory Discovery

Clop has searched folders and subfolders for files to encrypt.[1]
Enterprise T1057 Process Discovery

Clop can enumerate all processes on the victim's machine.[1]
Enterprise T1059.003 Windows Command Shell Sub-technique

Clop can use cmd.exe to help execute commands on the system.[2]
Enterprise T1553.002 Code Signing Sub-technique

Clop can use code signing to evade detection.[3]
Enterprise T1112 Modify Registry

Clop can make modifications to Registry keys.[2]
Enterprise T1135 Network Share Discovery

Clop can enumerate network shares.[1]
Enterprise T1490 Inhibit System Recovery

Clop can delete the shadow volumes with vssadmin Delete Shadows /all /quiet and can use bcdedit to disable recovery options.[1]
Enterprise T1486 Data Encrypted for Impact

Clop can encrypt files using AES, RSA, and RC4 and will add the ".clop" extension to encrypted files.[1][3][2]
Enterprise T1685 Disable or Modify Tools

Clop can uninstall or disable security products.[2]
Enterprise T1218.007 Msiexec Sub-technique

Clop can use msiexec.exe to disable security tools on the system.[2]
Associated objects

Groups, software, and campaigns

Group Enterprise

G0092: TA505

TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop.[1][2][3][4][5]

Relationship explorer

All related ATT&CK context

uses · Technique T1518.001: Security Software Discovery Enterprise uses · Technique T1489: Service Stop Enterprise uses · Group G0092: TA505 Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1106: Native API Enterprise uses · Technique T1497.003: Time Based Checks Enterprise uses · Technique T1027.002: Software Packing Enterprise uses · Technique T1614.001: System Language Discovery Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1553.002: Code Signing Enterprise uses · Technique T1112: Modify Registry Enterprise uses · Technique T1135: Network Share Discovery Enterprise uses · Technique T1490: Inhibit System Recovery Enterprise uses · Technique T1486: Data Encrypted for Impact Enterprise uses · Technique T1685: Disable or Modify Tools Enterprise uses · Technique T1218.007: Msiexec Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
5d5bb2e6bbae3767...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 5d5bb2e6bbae…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Mcafee Clop Aug 2019

    Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.

    Open source URL
  2. [2]
    Cybereason Clop Dec 2020

    Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.

    Open source URL
  3. [3]
    Unit42 Clop April 2021

    Santos, D. (2021, April 13). Threat Assessment: Clop Ransomware. Retrieved July 30, 2021.

    Open source URL
  4. [4]
    Clop

    (Citation: Mcafee Clop Aug 2019)(Citation: Cybereason Clop Dec 2020)

  5. [5]
    mitre-attack S0611
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use