Ransomware Research
Clay Ransomware
Clay is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on October 1, 2020, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Clay 2.0, Clay "CryptoToys".
Quick Facts
- Ransomware Family
- Clay
- First Seen
- October 1, 2020
- Known Aliases
- Clay 2.0Clay "CryptoToys"
How Clay Ransomware Works
Targeted Files
Most of samples don't add any suffixes and encrypt Desktop only
File Encryption Patterns
Clay modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..kfuald
..clay
Ransom Note and Payment Demands
After encrypting files, Clay displays ransom notes demanding payment for file recovery:
___RECOVER__FILES__.clay.txt
Ransom message:
notes/___RECOVER__FILES__.clay.txt
OPEN ME!!!!!!.txt
Ransom message:
notes/OPEN ME!!!!!!.txt
README.txt
Ransom message:
notes/README.txt
Note locations:
Desktop
Technical Indicators
Associated Executable Files
The following executable files are associated with Clay ransomware:
Rasomware2.0.exe
123.exe
clean.exe
Clean.exe
Minegames.ransom.exe
rasomware2.0.exe
ransomware2.0.exe
SubmitSoftware.exe
ExciteRAN.exe
exciteran.exe
GABRIXHUB.exe
KoheX_injector.exe
Alo Minegames ransomware.exe
Alo_Minegames_ransomware.exe
1.exe
Alo%20Minegames%20ransomware.exe
alo minegames ransomware.exe
fancybearsmessage.exe
T6bmcuFkl0hlvw4V.exe
Mionoho.exe
⠀.exe
Prueba.exe
Ransom.exe
333.exe
WindowsFormsApp1.exe
Ip_Booter.exe
patch.exe
[Inject].exe
File1.exe
File1
NewRanSmWare.exe
Ransomeware2.0.exe
WannaMad2.0.exe
Clownic1.0.exe
08-03_140.82.121.3_711486A19E8B011528DEE34A5D25776E_Clownic1.0.exe.exe
qZbCXzSH.exe
711486a1_qDA1LxC4yJ
clownic1.0.exe
Ulitsa Crypter.exe
NTT総合システムチェックソフトウェア(Ver1.0).exe
Ransomware2.0.exe
Argos.exe
WindowsWorker.exe
rnsm.exe
txt_to_rtf_converter.exe
Argos 2.0.exe
SusLocker.exe
sus.exe
Elastio Can Help You
Don't let Clay ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This Clay ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Clay.
Last updated: July 30, 2025