The ransomware group known as Cl0p is a variant of a previously known strain dubbed CryptoMix. It is worth noting that this variant was delivered as the final payload in a phishing campaign in 2019 and was exclusively financially motivated, with attacks carried out by the threat actors TA505. At that time, malicious actors sent phishing emails that led to a macro-enabled document that would drop a loader called 'Get2.' After gaining an initial foothold in the system or infrastructure, the actors began using reconnaissance, lateral movement, and exfiltration techniques to prepare for the deployment of the ransomware. After the execution of the ransomware, Cl0p appends the extension '.clop' to the end of files, or other types of extensions such as '.CIIp, .Cllp, and .C_L_O_P,' as well as different versions of the ransom note that were also observed after encryption. Depending on the variant, any of the ransom text files were created with names like 'ClopReadMe.txt, README_README.txt, Cl0pReadMe.txt, and READ_ME_!!!.TXT.' The Clop operation has shifted from delivering its final payload via phishing and has begun initiating attacks using vulnerabilities that resulted in the exploitation and infection of victims' infrastructures. Source: [enlace omitido]
Genera un perfil del actor con IA (defensivo) cuando lo pidas.
Tácticas y técnicas observadas del actor, mapeadas a MITRE ATT&CK (clic para ver la ficha oficial). Útil para priorizar detecciones.
Firma de detección defensiva para este grupo (úsala en tu EDR/SIEM). Fuente: ransomware.live.
rule win_clop_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2023-07-11"
version = "1"
description = "Detects win.clop."
info = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.6.0"
signator_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop"
malpedia_rule_date = "20230705"
malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
malpedia_version = "20230715"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { 6a04 6800300000 6887000000 6a00 }
// n = 4, score = 900
// 6a04 | push 4
// 6800300000 | push 0x3000
// 6887000000 | push 0x87
// 6a00 | push 0
$sequence_1 = { 83c40c 6860070000 6a40 ff15???????? }
// n = 4, score = 900
// 83c40c | add esp, 0xc
// 6860070000 | push 0x760
// 6a40 | push 0x40
// ff15???????? |
$sequence_2 = { 56 53 ff15???????? 50 ff15???????? 56 53 }
// n = 7, score = 800
// 56 | push esi
// 53 | push ebx
// ff15???????? |
// 50 | push eax
// ff15???????? |
// 56 | push esi
// 53 | push ebx
$sequence_3 = { ff15???????? 56 53 8bf8 ff15???????? 8bf0 56 }
// n = 7, score = 800
// ff15???????? |
// 56 | push esi
// 53 | push ebx
// 8bf8 | mov edi, eax
// ff15???????? |
// 8bf0 | mov esi, eax
// 56 | push esi
$sequence_4 = { 6a00 ff15???????? 68???????? 8bd8 }
// n = 4, score = 800
// 6a00 | push 0
// ff15???????? |
// 68???????? |
// 8bd8 | mov ebx, eax
$sequence_5 = { 833d????????00 0f842e0c0000 83ec08 0fae5c2404 8b442404 25807f0000 3d801f0000 }
// n = 7, score = 700
// 833d????????00 |
// 0f842e0c0000 | je 0xc34
// 83ec08 | sub esp, 8
// 0fae5c2404 | stmxcsr dword ptr [esp + 4]
// 8b442404 | mov eax, dword ptr [esp + 4]
// 25807f0000 | and eax, 0x7f80
// 3d801f0000 | cmp eax, 0x1f80
$sequence_6 = { 6683f87f 8d642408 0f85fd0b0000 eb00 }
// n = 4, score = 700
// 6683f87f | cmp ax, 0x7f
// 8d642408 | lea esp, [esp + 8]
// 0f85fd0b0000 | jne 0xc03
// eb00 | jmp 2
$sequence_7 = { db2d???????? b802000000 833d????????00 0f85f0080000 }
// n = 4, score = 700
// db2d???????? |
// b802000000 | mov eax, 2
// 833d????????00 |
// 0f85f0080000 | jne 0x8f6
$sequence_8 = { 50 ff15???????? 83c40c 6860070000 }
// n = 4, score = 600
// 50 | push eax
// ff15???????? |
// 83c40c | add esp, 0xc
// 6860070000 | push 0x760
$sequence_9 = { 0f85aa010000 68???????? 8d442450 50 }
// n = 4, score = 500
// 0f85aa010000 | jne 0x1b0
// 68???????? |
// 8d442450 | lea eax, [esp + 0x50]
// 50 | push eax
$sequence_10 = { 5d c20400 56 ff15???????? 6a00 }
// n = 5, score = 500
// 5d | pop ebp
// c20400 | ret 4
// 56 | push esi
// ff15???????? |
// 6a00 | push 0
$sequence_11 = { 8b1d???????? 8d85d4f7ffff 68???????? 50 ffd3 8d85d4f7ffff }
// n = 6, score = 500
// 8b1d???????? |
// 8d85d4f7ffff | lea eax, [ebp - 0x82c]
// 68???????? |
// 50 | push eax
// ffd3 | call ebx
// 8d85d4f7ffff | lea eax, [ebp - 0x82c]
$sequence_12 = { 8d85bcefffff 50 ff15???????? 68???????? }
// n = 4, score = 500
// 8d85bcefffff | lea eax, [ebp - 0x1044]
// 50 | push eax
// ff15???????? |
// 68???????? |
$sequence_13 = { ff15???????? 68???????? 8d85dcf7ffff 50 }
// n = 4, score = 500
// ff15???????? |
// 68???????? |
// 8d85dcf7ffff | lea eax, [ebp - 0x824]
// 50 | push eax
$sequence_14 = { 68???????? 68???????? e8???????? 83c424 6aff }
// n = 5, score = 500
// 68???????? |
// 68???????? |
// e8???????? |
// 83c424 | add esp, 0x24
// 6aff | push -1
$sequence_15 = { ffd0 c3 8bff 55 8bec 83ec1c 8d4de4 }
// n = 7, score = 500
// ffd0 | call eax
// c3 | ret
// 8bff | mov edi, edi
// 55 | push ebp
// 8bec | mov ebp, esp
// 83ec1c | sub esp, 0x1c
// 8d4de4 | lea ecx, [ebp - 0x1c]
$sequence_16 = { 6a00 e8???????? 83c408 6aff ff15???????? }
// n = 5, score = 400
// 6a00 | push 0
// e8???????? |
// 83c408 | add esp, 8
// 6aff | push -1
// ff15???????? |
$sequence_17 = { 83c424 53 50 ffd6 }
// n = 4, score = 300
// 83c424 | add esp, 0x24
// 53 | push ebx
// 50 | push eax
// ffd6 | call esi
$sequence_18 = { 83c40c 33f6 85ff 7428 }
// n = 4, score = 300
// 83c40c | add esp, 0xc
// 33f6 | xor esi, esi
// 85ff | test edi, edi
// 7428 | je 0x2a
$sequence_19 = { 6aff ffd7 8b4dfc 33c0 }
// n = 4, score = 300
// 6aff | push -1
// ffd7 | call edi
// 8b4dfc | mov ecx, dword ptr [ebp - 4]
// 33c0 | xor eax, eax
$sequence_20 = { 6a00 51 ffb560e2ffff 50 }
// n = 4, score = 200
// 6a00 | push 0
// 51 | push ecx
// ffb560e2ffff | push dword ptr [ebp - 0x1da0]
// 50 | push eax
condition:
7 of them and filesize < 796672
}Attention! We are the ones who hacked you and DOWNLOAD yor data! We have extensive experience and a strong reputation in this field. Take what is written below seriously!!!! We DOWNLOADED - 1,65 Tb We DOWNLOADED - Your financial documentation, HR Documents, Accounting, your mails,Databases,private correspondence about transactions, employee documents, company documents,Internal manuals, production data, and much more . If necessary, we are ready to provide all the evidence. Contact us within 48 hours in our chat (TOR browser): [redactado] [redactado] [redactado] due to blocking of telecom operators if you write from proton.me please write here [redactado] About us: OUR BLOG - "link": [redactado] -> TOR browser.
[AI generated] N/A
[AI generated] N/A
| Organización | País | Sector | Grupo | Descubierta |
|---|---|---|---|---|
| CENTINELA.COM.BR | BR | Not Found | — | 7 feb 2026 |
| INTEROIL.COM.CO | CO | Energy | — | 21 nov 2025 |
| GRUPOBIMBO.COM | MX | Agriculture and Food Production | — | 21 nov 2025 |
| ENTERATEK.MX | MX | Technology | — | 27 feb 2025 |
| VIDAGROUP.COM | MX | Business Services | — | 27 feb 2025 |
| MUNDI.COM | BR | Hospitality and Tourism | — | 27 feb 2025 |
| LOSCABOSMEXICANFOODS.COM | MX | Hospitality and Tourism | — | 27 feb 2025 |
| IDPE.CO | CO | Business Services | — | 27 feb 2025 |
| IUSA.MX | MX | Manufacturing | — | 27 feb 2025 |
| INNOVADOR.COM.MX | MX | Technology | — | 27 feb 2025 |
| INTERFACTURA.COM | MX | Technology | — | 27 feb 2025 |
| HOMEDEPOT.COM.MX | MX | Consumer Services | — | 27 feb 2025 |
| morrisgroup.co | CO | Manufacturing | — | 12 feb 2025 |
| cesarcastillo.com | PR | Business Services | — | 10 feb 2025 |
| BARCOMADE.COM | MX | Not Found | — | 10 feb 2025 |
| EKOMERCIO.COM | MX | Business Services | — | 11 ene 2025 |
| VELSOL.COM | PA | Technology | — | 6 ene 2025 |
| UNICRED.COM.AR | AR | Financial Services | — | 30 may 2024 |
| BAM.COM.GT | GT | Financial Services | — | 11 jul 2023 |
| ZURICH.COM.BR | BR | Financial Services | — | 20 jun 2023 |
| CAJASANRAFAEL.COM.MX | MX | Financial Services | — | 24 mar 2023 |
| GLOBALFARM.COM.AR | AR | Technology | — | 24 mar 2023 |
| DERK.CL | CL | Business Services | — | 24 mar 2023 |
| CHEMILAB.COM.CO | CO | Manufacturing | — | 23 mar 2023 |
| UNISALLE.EDU.CO | CO | Education | — | 4 ene 2023 |
| ORDEREXPRESS.COM.MX | MX | Business Services | — | 22 dic 2022 |
Las direcciones de los sitios de filtración (.onion) se conocen pero no se publican ni se enlazan. Solo se muestran metadatos públicos. ética
[AI generated] Grupo Bimbo is a Mexico-based multinational bakery product manufacturer. Founded in 1945, the company operates the largest baking company around the globe. It churns out over 13,000 products under more than 100 brands, including Bimbo, Sara Lee, and Thomas' English Muffins. Grupo Bimbo's products range across breads, cookies, cakes, among others, appealing to numerous market segments.
[AI generated] ENTERATEK.MX is a Mexican company specializing in IT solutions. They are focused on providing their clients with the best technology to address their individual needs. With a dedicated team of experts, they offer services ranging from IT consulting and strategic planning to implementation and support. They work with businesses of all sizes across various industries. Their solutions are designed for efficiency, adapting to the constantly evolving tech industry to consistently deliver high-quality services.
[AI generated] Vida Group is a global executive search and leadership advisory firm. It serves industries such as consumer, industrial, technology, health care, and biotech, providing services including executive search, management and leadership assessment, and succession planning. The firm is known for its rigorous and systematic search process, targeting and engaging world-class talent.
[AI generated] MUNDI.COM is a global tech company specializing in travel services. They provide an expansive online platform that assists users in finding, comparing and booking various travel services including flights, hotels, and packages. Operating internationally, they offer services from numerous providers, striving to find the best deals and options to accommodate their customer's unique travel needs. They have a customer-centric approach to help travelers save time and money.