Analytics Story: Clop Ransomware

Updated Date: 2026-05-13 ID: 5a6f6849-1a26-4fae-aa05-fa730556eeb6 Author: Rod Soto, Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Clop ransomware, including looking for file writes associated with Clope, encrypting network shares, deleting and resizing shadow volume storage, registry key modification, deleting of security logs, and more.

Why it matters

Clop ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Ransomware Notes bulk creation	Data Encrypted for Impact	Anomaly
Clop Ransomware Known Service Name	Create or Modify System Process	TTP
Common Ransomware Extensions	Data Destruction	TTP
Resize ShadowStorage volume	Inhibit System Recovery	TTP
Suspicious wevtutil Usage	Clear Windows Event Logs	TTP
Process Deleting Its Process File Path	Indicator Removal	TTP
Windows Service Created with Suspicious Service Name	Service Execution	Anomaly
Windows Service Created with Suspicious Service Path	Service Execution	TTP
High Process Termination Frequency	Data Encrypted for Impact	Anomaly
Common Ransomware Notes	Data Destruction	Hunting
Windows Eventlog Cleared Via Wevtutil	Clear Windows Event Logs	Anomaly
Windows Event Logging Service Has Shutdown	Clear Windows Event Logs	Hunting
Windows High File Deletion Frequency	Data Destruction	Anomaly
Clop Common Exec Parameter	User Execution	TTP
Windows Event Log Cleared	Clear Windows Event Logs	TTP
Deleting Shadow Copies	Inhibit System Recovery	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Sysmon EventID 11	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log System 7045	Windows	`XmlWinEventLog`	`XmlWinEventLog:System`
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 5	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 1100	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Sysmon EventID 26	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 23	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log System 104	Windows	`XmlWinEventLog`	`XmlWinEventLog:System`
Windows Event Log Security 1102	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`

References

Source: GitHub | Version: 2