Ciop ransomware is data locking virus that continues what Clop malware started – encrypts files and demands ransom payment for the alleged decryptor

Ciop ransomware is a variant of the Clop, which initially stems from CryptoMix virus family. In most cases, users download an executable or document file via a phishing email sent by the attackers. Nevertheless, the developers can also use different distribution tactics, such as brute-forcing, fake updates, drive-by downloads, etc. Once inside, the cyber threat uses the AES encryption algorithm to lock data, appends .Ciop extension to each of the affected files and prevents victims from accessing them. Ciop ransomware also drops a ransom note CIopReadMe.txt and explains that users need to contact hackers via unlock@eqaltech.su, unlock@royalmail.su or kensgilbomet@protonmail.com, and, because malware targets corporate networks rather than individuals, asks to include the name of the company and site address. Malware also uses software packing to evade detection – the main executable is compressed, which allows it to use a valid digital signature, consequently helping .Ciop file virus to evade detection.
| Name | Ciop |
| Type | Ransowmare |
| Previous versions | Clop |
| Virus family | CryptoMix |
| File extension | .Ciop |
| Ransom note | CIopReadMe.txt, ClopReadMe.txt |
| Contact | unlock@eqaltech.su, unlock@royalmail.su or kensgilbomet@protonmail.com |
| Related files | SCN0tification.exe, uZHOQbicgS |
| Peculiarities | Uses valid signature, checks for security software, spawns new services, communicates with Command & Control server, etc. |
| Termination | Use security software that can recognize the threat, such as Fortect (detected as TR/AD.ClopRansom.uxgju based on Avira scan engine)[1] |
Ciop ransomware is a sophisticated threat and, unfortunately, is not currently decryptable without backups. However, file recovery might be possible with the help of alternative methods, such as Windows Previous Versions feature or third-party software. Yet, the attempt to retrieve data should only be made after Ciop ransomware removal is performed, otherwise, the compromised system will repeatedly encrypt files.
Once .Ciop file virus enters the machine, it performs a variety of system changes, such as:
- Modifies Windows registry;
- Spawns new services and modifies existing ones;
- Gains administrator's access;
- Checks for security software and sends out system information;
- Deletes Shadow Volume Copies, etc.
After that, Ciop ransomware begins file encryption and changes the structure of databases, documents, pictures, videos, and other files by appending .Ciop or .CIOP file extensions. The ransom message then states the following:
————————————–Your networks has been penetrated!——————————————–
All files on each host in the network have been encrypted with a strong algorithm.
Backups were either encrypted or deleted or backup disks were formatted.
Shadow copies either encrypted, so F8 or any other methods may damage encrypted data but not recover.
We exclusively have decryption software for your situation.
===No DECRYPTION software is AVAILABLE in the PUBLIC===
===========DO NOT RESET OR SHUTDOWN – FILES MAY BE DAMAGED============
===========DO NOT RESET OR SHUTDOWN – FILES MAY BE DAMAGED============
===========DO NOT RESET OR SHUTDOWN – FILES MAY BE DAMAGED============
—THIS MAY LEAD TO THE IMPOSSIBILITY OF RECOVERY OF THE CERTAIN FILES—
—ALL REPAIR TOOLS ARE USELESS AND CAN DESTROY YOUR FILES IRREVERSIBLY—
If you want to restore your files write to email.
[CONTACTS ARE AT THE BOTTOM OF THE SHEET] and attach 4-6 encrypted files!
[Less than 7Mb each, non-archived and your files should not contain valuable information!!!
[Databases, large excel sheets, backups, etc…]]!!!
***You will receive decrypted samples and our conditions how to get the decoder***
<…>
According to cybercriminals, they are targeting organizations, rather than regular users, as they are talking about network infection. Nevertheless, studies showed that Ciop does not incorporate means necessary to spread laterally unless hackers break in via the RDP.
Nevertheless, it does not mean that regular users cannot be infected with Ciop file virus. Thus, if you were among the unlucky ones, remove Ciop ransomware from your device using security software. We recommend using FortectIntego or another AV engine that can recognize the threat. Besides, it was proved that malware might read a variety of information and send it to a remote server
Be aware that paying cybercriminals does not guarantee you the decryptor. As practice shows, some malware authors cannot even decrypt files themselves, and others might simply ignore you and keep your money. Thus, experts[2] advise to stay away from hackers and take care of Ciop ransomware infection without their help.

Use adequate precautionary measures to avoid ransomware infections
Users often underestimate the fact that they might get infected with horrible viruses and often neglect precautionary measures that are needed to protect themselves from such consequences. However, once they fall victims of ransomware, only then they realize how devastating the infection can be. Therefore, it is always better to prevent the virus rather than dealing with ramifications.
Industry experts advise the following:
- Employ reputable security software and keep it updated at all times;
- Enable built-in or third-party firewall;
- Always update your operating system and the installed software as soon as security patches are released;
- Use strong passwords for all your accounts, as well as two-factor authentication;
- Beware of phishing emails. While most of them end up in the Spam box, some of them might bypass built-in scanners and end up in your Inbox. Thus, treat every email with attachments or hyperlinks as a potential hazard;
- Install an ad-block program;
- Adequately protect the RDP connection if you are using one;
- Disable Javascript[3] and Flash plugin auto-run feature;
- Use browsers that incorporate advanced security measures against malware, phishing, and other threats.
Ciop ransomware removal and and file recovery procedure
As we already mentioned, Ciop virus is not decryptable, so only backups would save you from data loss. Nevertheless, you should not lose hope, as there are other methods you can rely on, like third-party tools that might be able to help you retrieve at least some files. Alternatively, security experts might create a decryption tool one day – many other viruses were decoded in such a way (No More Ransom project).[4]
But before that, you need to remove Ciop ransomware from your machine entirely. For that, we suggest you use security software that can recognize the threat (be aware that this malware uses sophisticated obfuscation techniques, so not all AV engines can detect it). In some cases, Ciop ransomware removal will only be possible via the Safe Mode, as the virus might be blocking anti-virus software from functioning. We explain how to do that below. You will also find instructions on how to attempt file recovery with the help of third-party software.
Was this guide helpful?
Be the first to comment