Ransom:Win32/Clop!rfn

The Ransom:Win32/Clop!rfn ransomware is a 32bit Windows binary written in C++. The authors pack and obfuscate the binary to block static analysis. Some samples carry digital signatures stolen from legitimate software vendors or bought through fraudulent means. Those signatures help Clop appear trustworthy. When it runs, it checks the environment before doing anything else. It calls GetKeyboardLayout to read the Windows language setting. If the keyboard layout matches Russian (0x0419), Azerbaijani (0x082C), or Georgian (0x0437), or if the Windows font charset is RUSSIAN_CHARSET (0x0CC), Clop immediately stops. It then deletes its own file from the disk. This guardrail keeps the ransomware from infecting devices in the Commonwealth of Independent States and reduces attention from regional law enforcement. It also looks for processes, drivers, and hardware artifacts that signal a sandbox or virtual machine. When it finds those, it either loops forever or exits. 

Clop force closes any running software that might lock files the ransomware wants to encrypt. It carries a hashed list of target process and service names. The list includes database engines such as sqlservr.exe, mysqld.exe, and oracle.exe. It includes email clients like outlook.exe. It includes office applications such as winword.exe and excel.exe. It includes backup agents like BackupExecAgentBrowser and Veeam.exe. It includes security processes tied to endpoint protection products. It issues commands such as net stop <service> /y to stop antivirus services. Newer samples add processes from Siemens, Honeywell, and Rockwell automation. That addition shows the threat actor group now targets industrial control and manufacturing environments where downtime produces fast, severe financial losses.

The malware changes Windows Registry keys and system settings. It often writes an autostart entry to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to survive a reboot. It deletes Volume Shadow Copies by running vssadmin delete shadows /all /quiet. That command wipes out the most common recovery mechanism on Windows devices. It runs bcdedit to turn off automatic startup repair. It may drop a batch file named clearnetworkdns_11-22-33.bat that changes network configuration and overwrites files. It creates mutexes such as MoneyP#666 and CLOP#666 so only one copy of the ransomware runs at a time. Forensic investigators often find those mutex names during analysis. 

The encryption engine uses a hybrid cryptographic design. For each file, the malware generates a unique AES256 key. It encrypts the file content with that key. It then encrypts the AES key with an RSA1024 or RSA2044 public key embedded in the binary. Without the threat actors’ private key, decryption is mathematically impossible. Clop prioritizes speed. It skips files smaller than 17 kilobytes entirely. For files larger than 2.13 megabytes, it only encrypts specific byte ranges, for example from offset 0x10000 to 0x2089D0. That partial encryption corrupts large databases and media files quickly while using little CPU time.  

The threat actors gain initial access through two main methods. They send spear phishing emails with malicious attachments that drop firststage loaders. Those loaders download the full Clop payload. More notably, the group finds and weaponizes zeroday vulnerabilities in enterprise software, especially managed file transfer platforms. Major campaigns targeted Accellion FTA using CVE202127101, CVE202127102, CVE202127103, and CVE202127104. They hit GoAnywhere MFT with CVE20230669. They hit MOVEit Transfer with CVE202334362. They hit Cleo LexiCom and Harmony with CVE202450623 and CVE202455956. They hit Oracle EBusiness Suite with CVE202561882. After breaking in, the threat actors deploy CobaltStrike for command and control. They use Mimikatz to steal credentials from memory. They use PsExec to move laterally and run payloads on remote machines. They install custom web shells like DEWMODE and LEMURLOOT on compromised file transfer servers to pull out large volumes of data. 

Command and control servers and scanners associated with Clop include 92[.]51[.]2[.]10, 92[.]118[.]36[.]112, 92[.]118[.]36[.]123, 92[.]118[.]36[.]210, 45[.]129[.]137[.]232, 138[.]197[.]152[.]201, 45[.]227[.]253[.]102, and 217[.]165[.]84[.]66. Malicious domains linked to the group include bak0store[.]com, mspipesservice[.]com, xboxmsstoredebug[.]com, qweastradoc[.]com,guerdofest[.]com, connectzoomdownload[.]com, and conversepharmagroup[.]com. Ransom negotiation emails go to addresses at privacyfocused providers.  

Observed addresses include managersmaers[@]tutanota[.]com, kensgilbomet[@]protonmail[.]com, servicedigilogos[@]protonmail[.]com, unlock[@]goldenbay[.]su, unlock[@]royalmail[.]su, and unlock[@]eqaltech[.]su. Stolen data appears on the CL0P^_-LEAKS Tor site. The site is reachable at hxxp://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad[.]onion and hxxp://toznnag5o3ambca56s2yacteu7q7x2avrfherzmz4nmujrjuib4iusad[.]onion. A separate negotiator portal runs at hxxp://ekbgzchl6x2ias37[.]onion.