Threat Actor Profile
Critical
Cybercriminal
Description
The ransomware group known as Cl0p is a variant of a previously known strain dubbed CryptoMix. It is worth noting that this variant was delivered as the final payload in a phishing campaign in 2019 and was exclusively financially motivated, with attacks carried out by the threat actors TA505. At that time, malicious actors sent phishing emails that led to a macro-enabled document that would drop a loader called 'Get2.' After gaining an initial foothold in the system or infrastructure, the actors began using reconnaissance, lateral movement, and exfiltration techniques to prepare for the deployment of the ransomware. After the execution of the ransomware, Cl0p appends the extension '.clop' to the end of files, or other types of extensions such as '.CIIp, .Cllp, and .C_L_O_P,' as well as different versions of the ransom note that were also observed after encryption. Depending on the variant, any of the ransom text files were created with names like 'ClopReadMe.txt, README_README.txt, Cl0pReadMe.txt, and READ_ME_!!!.TXT.' The Clop operation has shifted from delivering its final payload via phishing and has begun initiating attacks using vulnerabilities that resulted in the exploitation and infection of victims' infrastructures. Source: https://github.com/crocodyli/ThreatActors-TTPs
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (31)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'The ransomware group known as Cl0p is a variant of a '
'previously known strain dubbed CryptoMix. It is worth noting '
'that this variant was delivered as the final payload in a '
'phishing campaign in 2019 and was exclusively financially '
'motivated, with attacks carried out by the threat actors '
'TA505.<br> <br> At that time, malicious actors sent phishing '
'emails that led to a macro-enabled document that would drop a '
"loader called 'Get2.' After gaining an initial foothold in "
'the system or infrastructure, the actors began using '
'reconnaissance, lateral movement, and exfiltration techniques '
'to prepare for the deployment of the ransomware.<br> <br> '
'After the execution of the ransomware, Cl0p appends the '
"extension '.clop' to the end of files, or other types of "
"extensions such as '.CIIp, .Cllp, and .C_L_O_P,' as well as "
'different versions of the ransom note that were also observed '
'after encryption. Depending on the variant, any of the ransom '
"text files were created with names like 'ClopReadMe.txt, "
"README_README.txt, Cl0pReadMe.txt, and READ_ME_!!!.TXT.'<br> "
'<br> The Clop operation has shifted from delivering its final '
'payload via phishing and has begun initiating attacks using '
'vulnerabilities that resulted in the exploitation and '
"infection of victims' infrastructures.<BR>Source: "
'https://github.com/crocodyli/ThreatActors-TTPs',
'firstseen': '2020-03-13T00:00:00+00:00',
'group': 'clop',
'has_negotiations': False,
'has_ransomnote': True,
'lastseen': '2026-03-30T07:59:33.501127+00:00',
'locations': [{'available': True,
'fqdn': 'santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion',
'slug': 'http://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion/',
'title': 'DDOS Protection',
'type': 'DLS'},
{'available': False,
'fqdn': 'ekbgzchl6x2ias37.onion',
'slug': 'http://ekbgzchl6x2ias37.onion',
'title': '',
'type': 'DLS'},
{'available': False,
'fqdn': 'toznnag5o3ambca56s2yacteu7q7x2avrfherzmz4nmujrjuib4iusad.onion',
'slug': 'http://toznnag5o3ambca56s2yacteu7q7x2avrfherzmz4nmujrjuib4iusad.onion',
'title': 'TORRENT | CL0P^_- LEAKS',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 4,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': True,
'locations': [{'available': True,
'fqdn': 'santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion',
'slug': 'http://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion/',
'title': 'DDOS Protection',
'type': 'DLS'},
{'available': False,
'fqdn': 'ekbgzchl6x2ias37.onion',
'slug': 'http://ekbgzchl6x2ias37.onion',
'title': '',
'type': 'DLS'},
{'available': False,
'fqdn': 'toznnag5o3ambca56s2yacteu7q7x2avrfherzmz4nmujrjuib4iusad.onion',
'slug': 'http://toznnag5o3ambca56s2yacteu7q7x2avrfherzmz4nmujrjuib4iusad.onion',
'title': 'TORRENT | CL0P^_- LEAKS',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 4,
'ransomware_live_group': 'clop',
'tools': {},
'url': 'https://www.ransomware.live/group/clop',
'victims': 1252,
'vulnerabilities': [{'CVE': 'CVE-2021-27101, '
'CVE-2021-27102, '
'CVE-2021-27103, '
'CVE-2021-27104',
'CVSS': 9.8,
'Product': 'Accellion File Transfer '
'Appliance',
'Vendor': 'Accellion',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2024-55956',
'CVSS': 9.8,
'Product': 'Cleo VLTrader, Harmony, '
'LexiCom',
'Vendor': 'Cleo',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2023-0669',
'CVSS': 7.2,
'Product': 'GoAnywhere Managed File '
'Transfer',
'Vendor': 'Fortra',
'severity': 'HIGH'},
{'CVE': 'CVE-2025-61882',
'CVSS': 9.8,
'Product': 'E-Business',
'Vendor': 'Oracle',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2023-34362',
'CVSS': 9.8,
'Product': 'MOVEit',
'Vendor': 'Progress Software',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2023-27350 & '
'CVE-2023-27351',
'CVSS': 9.8,
'Product': 'PaperCut Application '
'Server',
'Vendor': 'PaperCut',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2021-35211',
'CVSS': 9.0,
'Product': 'SolarWinds Serv-U FTP',
'Vendor': 'SolarWinds',
'severity': 'CRITICAL'}]},
'tiaras_source': 'ransomware.live',
'tools': {},
'ttps': [{'tactic_id': 'TA0001',
'tactic_name': 'Initial Access',
'techniques': [{'technique_details': 'Arrives via phishing emails '
'that have Get2 Loader, which '
'will download the SDBot and '
'FlawedAmmy RAT.',
'technique_id': 'T1566.001',
'technique_name': 'Phishing: Spear-phishing '
'attachment'},
{'technique_details': 'Arrives via any the following '
'exploits: CVE-2021-27101, '
'CVE-2021-27102, '
'CVE-2021-27103, '
'CVE-2021-27104, '
'CVE-2021-35211.',
'technique_id': 'T1190',
'technique_name': 'Exploit public-facing '
'application'},
{'technique_details': 'Have been reported to make '
'use of compromised accounts '
'to access victims via RDP.',
'technique_id': 'T1078',
'technique_name': 'Valid accounts'}]},
{'tactic_id': 'TA0002',
'tactic_name': 'Execution',
'techniques': [{'technique_details': 'Uses native API to execute '
'various commands/routines.',
'technique_id': 'T1106',
'technique_name': 'Native API'},
{'technique_details': 'Uses various scripting '
'interpreters like PowerShell, '
'Windows command shell and '
'Visual Basic (macro in '
'documents).',
'technique_id': 'T1059',
'technique_name': 'Command and scripting '
'interpreter'},
{'technique_details': 'User execution is needed to '
'carry out the payload from '
'the spear-phishing '
'link/attachments.',
'technique_id': 'T1204',
'technique_name': 'User execution'}]},
{'tactic_id': 'TA0003',
'tactic_name': 'Persistence',
'techniques': [{'technique_details': 'Creates registry run entries '
'to execute the ransomware as '
'a service.',
'technique_id': 'T1547',
'technique_name': 'Boot or logon autostart '
'execution'},
{'technique_details': 'Creates a service to execute '
'the ransomware.',
'technique_id': 'T1543.003',
'technique_name': 'Create or modify system process: '
'Windows service'}]},
{'tactic_id': 'TA0004',
'tactic_name': 'Privilege Escalation',
'techniques': [{'technique_details': 'Uses stolen credentials to '
'access the AD servers to gain '
'administrator privilege and '
'attack other machines within '
'the network.',
'technique_id': 'T1484.001',
'technique_name': 'Domain Policy modification: '
'Group Policy modification'},
{'technique_details': 'Makes use of CVE-2021-27102 '
'to escalate privilege.',
'technique_id': 'T1068',
'technique_name': 'Exploitation for privilege '
'escalation'},
{'technique_details': 'UAC bypass.',
'technique_id': 'T1574',
'technique_name': 'Hijack execution flow'}]},
{'tactic_id': 'TA0005',
'tactic_name': 'Defense Evasion',
'techniques': [{'technique_details': 'Makes use of the following '
'digital signatures: DVERI, '
'FADO, TOV.',
'technique_id': 'T1036.001',
'technique_name': 'Masquerading: invalid code '
'signature'},
{'technique_details': 'Disables security-related '
'software by terminating them.',
'technique_id': 'T1562.001',
'technique_name': 'Impair defenses: disable or '
'modify tools'},
{'technique_details': 'The tool used for '
'exfiltration has a part of '
'its malware trace removal, '
'and it drops a base-64 '
'encoded file.',
'technique_id': 'T1140',
'technique_name': 'Deobfuscate/Decode files or '
'information'},
{'technique_details': 'Deletes traces of itself in '
'the infected machine.',
'technique_id': 'T1070.004',
'technique_name': 'Indicator removal on host: file '
'deletion'},
{'technique_details': 'To deliver other tools and '
'payload, a tool has the '
'capability to inject its '
'downloaded payload.',
'technique_id': 'T1055.001',
'technique_name': 'Process injection: DLL '
'injection'},
{'technique_details': 'A startup script runs just '
'before the system gets to the '
'login screen via startup '
'registry.',
'technique_id': 'T1202',
'technique_name': 'Indirect command execution'},
{'technique_details': 'Clears the Event Viewer log '
'files.',
'technique_id': 'T1070.001',
'technique_name': 'Indicator removal on host: clear '
'Windows event logs'}]},
{'tactic_id': 'TA0007',
'tactic_name': 'Discovery',
'techniques': [{'technique_details': 'Searches for specific files '
'and the directory related to '
'its encryption.',
'technique_id': 'T1083',
'technique_name': 'File and directory discovery'},
{'technique_details': 'Makes use of tools for '
'network scans.',
'technique_id': 'T1018',
'technique_name': 'Remote system discovery'},
{'technique_details': 'Discovers certain processes '
'for process termination.',
'technique_id': 'T1057',
'technique_name': 'Process discovery'},
{'technique_details': 'Identifies keyboard layout '
'and other system information.',
'technique_id': 'T1082',
'technique_name': 'System information discovery'},
{'technique_details': 'Queries certain registries as '
'part of its routine.',
'technique_id': 'T1012',
'technique_name': 'Query registry'},
{'technique_details': 'Discovers security software '
'for reconnaissance and '
'termination.',
'technique_id': 'T1063',
'technique_name': 'Security software discovery'}]},
{'tactic_id': 'TA0008',
'tactic_name': 'Lateral Movement',
'techniques': [{'technique_details': 'Can make use of RDP to '
'transfer the ransomware or '
'tools within the network.',
'technique_id': 'T1570',
'technique_name': 'Lateral tool transfer'},
{'technique_details': 'Drops a copy of the payload '
'to the compromised AD and '
'then creates a service on the '
'target machine to execute the '
'copy of the payload.',
'technique_id': 'T1021.002',
'technique_name': 'Remote services: SMB/Windows '
'admin shares'}]},
{'tactic_id': 'TA0009',
'tactic_name': 'Collection',
'techniques': [{'technique_details': 'Might make use of RDP to '
'manually search for valuable '
'files or information.',
'technique_id': 'T1005',
'technique_name': 'Data from local system'}]},
{'tactic_id': 'TA0011',
'tactic_name': 'Command and Control',
'techniques': [{'technique_details': 'Uses http/s to communicate to '
'its C&C server.',
'technique_id': 'T1071',
'technique_name': 'Application Layer Protocol'}]},
{'tactic_id': 'TA0010',
'tactic_name': 'Exfiltration',
'techniques': [{'technique_details': 'DEWMODE web shell extracts '
'list of available files from '
'a MySQL database on the FTA '
'and lists these files and '
'corresponding their metadata. '
'These will then be downloaded '
'using the DEWMODE web shell.',
'technique_id': 'T1567',
'technique_name': 'Exfiltration over web service'}]},
{'tactic_id': 'TA0040',
'tactic_name': 'Impact',
'techniques': [{'technique_details': 'Uses a combination of '
'Salsa20, AES, and ECDH to '
'encrypt the files and key.',
'technique_id': 'T1486',
'technique_name': 'Data encrypted for impact'},
{'technique_details': 'Deletes shadow copies.',
'technique_id': 'T1490',
'technique_name': 'Inhibit system recovery'}]}],
'url': 'https://www.ransomware.live/group/clop',
'victims': 1252,
'vulnerabilities': [{'CVE': 'CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, '
'CVE-2021-27104',
'CVSS': 9.8,
'Product': 'Accellion File Transfer Appliance',
'Vendor': 'Accellion',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2024-55956',
'CVSS': 9.8,
'Product': 'Cleo VLTrader, Harmony, LexiCom',
'Vendor': 'Cleo',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2023-0669',
'CVSS': 7.2,
'Product': 'GoAnywhere Managed File Transfer',
'Vendor': 'Fortra',
'severity': 'HIGH'},
{'CVE': 'CVE-2025-61882',
'CVSS': 9.8,
'Product': 'E-Business',
'Vendor': 'Oracle',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2023-34362',
'CVSS': 9.8,
'Product': 'MOVEit',
'Vendor': 'Progress Software',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2023-27350 & CVE-2023-27351',
'CVSS': 9.8,
'Product': 'PaperCut Application Server',
'Vendor': 'PaperCut',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2021-35211',
'CVSS': 9.0,
'Product': 'SolarWinds Serv-U FTP',
'Vendor': 'SolarWinds',
'severity': 'CRITICAL'}]}