Dissecting Cl0p Ransomware: Encryption and Evasion Tactics

Cl0p (also stylized as "Clop") is a sophisticated ransomware variant that evolved from the CryptoMix family, first emerging in February 2019. It is frequently deployed as the final payload in attacks orchestrated by the financially motivated threat group TA505 [1].

Cl0p gains initial access through large-scale spear-phishing campaigns, often dropping loaders like Get2 that subsequently install additional tools. The group also aggressively exploits zero-day vulnerabilities in enterprise file transfer software, including Accellion FTA, SolarWinds Serv-U, GoAnywhere MFT, and Progress MOVEit Transfer. Once inside, the malware attempts to disable security defenses, terminates backup processes, and encrypts files using strong encryption algorithms, appending extensions like ".Clop" or ".CIOP". Recent campaigns have notably shifted focus toward pure data theft and extortion without deploying encryption payloads [2].

In this blog post, we break down the technical operations of Cl0p ransomware, analyzing its multi-stage attack chain including initial access vectors, defense evasion techniques, and encryption mechanisms. We also provide actionable insights on how to simulate Cl0p attacks using the Picus Security Validation Platform to test and strengthen your organization's security controls.

How Does Cl0p Ransomware Work?

The operational lifecycle of Cl0p ransomware involves a multi-stage attack chain, ranging from initial access via zero-day exploits or phishing to the final encryption and extortion phases.

Initial Access and Delivery

The ransomware enters networks through several primary vectors.

Attackers send emails with malicious attachments (often macro-enabled documents) or links. These drop loaders, like Get2, which downloads additional tools [3].

Operators target specific vulnerabilities in file transfer appliances to gain unauthenticated access. Notable exploits include:

• Accellion FTA: Exploiting CVE-2021-27101 through CVE-2021-27104 to install the DEWMODE web shell [2].

• SolarWinds Serv-U: Exploiting CVE-2021-35211 for remote code execution [2].

• GoAnywhere MFT: Exploiting CVE-2023-0669 [1].

• MOVEit Transfer: Exploiting CVE-2023-34362 (SQL injection) to deploy the LEMURLOOT web shell [1].

Attackers also used compromised RDP credentials to access the network directly [2].

Defense Evasion

Cl0p binaries are often digitally signed with verified certificates to evade security software.

The ransomware scans for and terminates processes related to security software, databases, and backups such as AGNTSVC.EXE, SQLSERVR.EXE, ORACLE.EXE, SQLWRITER.EXE, and SQBCORESERVICE.EXE. This ensures that critical database files and backups are not "locked" by running services, allowing the malware to successfully encrypt or modify the data without triggering "File in Use" errors.

It also executes a batch file (e.g., clearsystems-11-11.bat) to delete Volume Shadow Copies, resize shadow storage, and modify the Boot Configuration Data (BCD) to disable Windows automatic recovery and ignore boot failures [4]:

Additionallly, It may call functions like EraseTape or DefineDosDeviceA with invalid arguments in a loop to confuse emulators and sandboxes.

Discovery and Privilege Escalation

Once established, attackers move laterally and escalate privileges using tools like Cobalt Strike and SDBot.

In the MOVEit Transfer campaigns, the LEMURLOOT web shell (often appearing as human2.aspx) is used to harvest Azure system settings, including Blob Storage accounts and keys, while also enumerating underlying SQL databases and manipulating administrative access through the creation or deletion of accounts like the "Health Check Service". An example query is given below [1]:

Execution and Encryption

The ransomware creates a mutex (e.g., Fany-Fany-6-6-6, Clop^_-, or MoneyP#666) to ensure only one instance runs.

It validates the target environment through a sophisticated double-check mechanism that first calculates keyboard layout values against Russian (0x0419) and Azerbaijan (0x082C) identifiers and subsequently verifies if the active system font matches RUSSIAN_CHARSET (0xCC) via GetTextCharset; if this specific CIS configuration is confirmed to ensure the language is active rather than merely installed, it deletes itself from the disk and terminates execution using TerminateProcess [4].

Cl0p uses AES encryption to lock files, generating a unique random key for each file. This key is then encrypted with a master RSA public key embedded in the malware.

The ransomware skips critical system files (e.g., .dll, .exe, .sys) to ensure the OS remains operational and encrypted files are added with a file extension such as .Clop, .CIOP, or .C_L_O_P [3] [2] [4]. It also adds a file marker (e.g., Clop^_) to the end of encrypted files.

A ransom note is placed in folders, containing instructions for contact [4].

How Picus Simulates Cl0p Ransomware Attacks?

We also strongly suggest simulating ransomware groups, including Cl0p and the rest of the Top 10 Ransomware Groups of 2025, to test the effectiveness of your security controls against their attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as Phobos, ALPHV, and LockBit, within minutes with a 14-day free trial of the Picus Platform. 

Picus Threat Library includes the following threats for the Cl0p Ransomware Attacks:

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

Key Takeaways

• Cl0p enters networks through large-scale spear-phishing campaigns using loaders like Get2, compromised RDP credentials, or by exploiting zero-day vulnerabilities in enterprise file transfer tools such as MOVEit, GoAnywhere MFT, and SolarWinds Serv-U.
• To avoid detection, the ransomware uses digitally signed binaries and terminates processes related to security software, databases, and backups. It also employs anti-sandbox techniques and executes batch files to delete Volume Shadow Copies and disable Windows automatic recovery.
• During recent MOVEit Transfer campaigns, operators used the LEMURLOOT web shell to steal Azure system settings and Blob Storage keys while enumerating and manipulating underlying SQL databases.
• The malware performs a double-check of the system's keyboard layout and active system fonts. If it detects Russian or Azerbaijan configurations, the ransomware terminates execution and deletes itself from the disk.
• Cl0p utilizes AES encryption with unique keys for each file, which are then protected by an embedded RSA public key. While it appends extensions like .Clop or .CIOP, it specifically avoids system-critical files to keep the operating system functional for ransom communication.
• While traditionally known for encryption, recent campaigns have shifted focus toward pure data theft and extortion without always deploying an encryption payload.
• Organizations can use the Picus Security Validation Platform to simulate Cl0p attack scenarios.

References

[1] “#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability,” Cybersecurity and Infrastructure Security Agency CISA. Accessed: Feb. 05, 2026. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a

[2] “Ransomware Spotlight: Clop.” Accessed: Feb. 05, 2026. [Online]. Available: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop

[3] D. Santos, “Threat Assessment: Clop Ransomware,” Unit 42. Accessed: Feb. 05, 2026. [Online]. Available: https://unit42.paloaltonetworks.com/clop-ransomware/

[4] A. Mundo, “Clop Ransomware,” McAfee Blog. Accessed: Feb. 05, 2026. [Online]. Available: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/