After encryption, the CLOP ransomware appends the “. Clop” extension in each file, and then it generates a text file “ClopReadMe. txt” which contains a ransom note into each folder. CLOP ransomware uses the RSA (Rivest-Shamir-Adleman) encryption algorithm and any generated keys are stored on a remote server controlled by Clop operators.
CyberSecurity group MalwareHunterTeam located a copy of the ransomware binary used against Software AG earlier this week. The ID in this ransom note allows the MalwareHunterTeam and other security researchers to view the online chats between the Clop gang and Software AG on a web portal managed by the ransomware group.
Negotiations with the cybercriminals have been tense
On October 9, negotiations reached a standstill. The Clop gang retaliated by publishing screenshots of the company’s data on a dark web leak site that the hackers operate.
The screenshots show private data including financial documents, employee passport, and ID scans, employee emails, and directories from the firm’s internal network.