Ransomware Research

Clop Ransomware

Clop is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on February 1, 2019, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Clop, CIop, CIop2, CL0P, Clop Doxware.

Quick Facts

Ransomware Family
Clop
First Seen
February 1, 2019
Known Aliases
ClopCIopCIop2CL0PClop Doxware

How Clop Ransomware Works

Targeted Files

Tested 70f42cc9fca43dc1fdfa584b37ecbc81761fb996cb358b6f569d734fa8cce4e3 as working sample Some windows binaries (46cd508b7e77bb2c1d47f7fef0042a13c516f8163f9373ef9dfac180131c65ed) would work only with -> sc.exe create ChangerWifi binPath= "d:\chrome.exe" c7e3293a6be881a93c66d04b085c69c56ec29ba20a81dd8ce8dac77af2c2cb30 -> service name -> W7CheckUpdate 61ac59b8110ff8bee625d7620e4e8946256fe7ad4554d56b32a106219348f767 -> service name -> BootServicingSecurity https://blog.cyble.com/2023/04/03/cl0p-ransomware-active-threat-plaguing-businesses-worldwide/ https://www.joesandbox.com/analysis/894996/0/html https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/ https://github.com/SentineLabs/Cl0p-ELF-Decryptor

File Encryption Patterns

Clop modifies encrypted files using specific patterns to mark them as encrypted:

File extensions added after encryption:

..Clop..Cl0p..CIop..Cllp..C_L_O_P..C_I_0P

Ransom Note and Payment Demands

After encrypting files, Clop displays ransom notes demanding payment for file recovery:

fileClopReadMe.txt

Ransom message:

notes/ClopReadMe.txt

Note locations:

EveryFolder
fileCIopReadMe.txt

Ransom message:

notes/CIopReadMe.txt

Note locations:

EveryFolder
fileCl0pReadMe.txt
file!!!_READ_!!!.RTF
fileREADME_C_I_0P.TXT

Ransom message:

notes/README_C_I_0P.TXT
file!_READ_ME.RTF

Ransom message:

notes/!_READ_ME.RTF

Note locations:

EveryFolder

Technical Indicators

Associated Executable Files

The following executable files are associated with Clop ransomware:

  • unpacked.exe
  • clop
  • sample.bin
  • file.exe
  • gmontraff.exe
  • myfile.exe
  • swaqp.exe
  • DTQZ52M5.exe
  • DBTRUA4Q.exe
  • SB1LGRPI.exe
  • YWFJ84M7.exe
  • Trojan.Ransom.Clop.exe
  • clop.bin
  • oleObject1.bin
  • Clop.exe
  • 2019-03-01 Klop.exe
  • KlopRansom.exe
  • SCN0tification.exe
  • SoftwareProtection.exe.dis
  • SysvolYSysZLogonQ.exe

Elastio Can Help You

Don't let Clop ransomware take over your data

Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.

About This Analysis

This Clop ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Clop.

Last updated: July 30, 2025

Clop Ransomware - Detectable by Elastio