Clop ransomware resource decoder
I wrote a decoder for the obfuscated resources embedded in Clop ransomware (e.g., "SIXSIX1"), specifically for the sample with SHA256 hash:
Extract the resource from the executable.
Run the tool:
decodeResource.exe encryptedResourceFilePath.bin outputFilename.txt
Python 3 CLI
I also wrote a Python 3 version that should work on any platform, with the exact same usage — only Python:
python3 decodeResource.py encryptedResourceFilePath.bin outputFilename.txt
Read this blog post.