clop

Cl0p

also known as: TA505 FIN11 Graceful Spider Lace Tempest Spandex Tempest DEV-0950 GOLD TAHOE Chimborazo Hive0065

Specializes in mass exploitation of zero-days in widely used enterprise file transfer software — MOVEit, GoAnywhere, Accellion, Cleo, and Oracle EBS — hitting hundreds of organizations in single campaigns without deploying traditional ransomware. Operated by the TA505/FIN11 cybercriminal enterprise, Cl0p has extorted over $500 million in ransom payments and directly affected thousands of organizations and tens of millions of individuals since 2019.

attributed origin Russia / Ukraine (Russian-speaking)

parent organization TA505 / FIN11 Criminal Enterprise

first observed February 2019

primary motivation Financial / Data Extortion

primary targets File Transfer Software, Finance, Healthcare, Government, Education

confirmed victims 3,000+ organizations affected

mitre att&ck software S0611

target regions North America, Europe, Asia-Pacific

threat level Critical

Overview

Cl0p (also styled as CL0P, Clop, or CL0P^_-) is a ransomware and data extortion operation run by the TA505 cybercriminal enterprise, a Russian-speaking group active since at least 2014. The name derives from the Russian word "klop" (bed bug), a reference to an adaptable, persistent pest. The ransomware strain itself evolved from the CryptoMix family and first appeared in February 2019, but the group has since shifted its primary model away from traditional file encryption toward mass data theft and extortion without deploying ransomware payloads.

What distinguishes Cl0p from other ransomware groups is its systematic focus on discovering and mass-exploiting zero-day vulnerabilities in widely deployed enterprise file transfer platforms. By compromising a single piece of software used across thousands of organizations, the group can simultaneously access data from hundreds of victims in a single campaign, then methodically extort each one. This supply-chain-oriented approach has made Cl0p one of the most impactful cybercrime operations in history, with over $500 million in extracted ransom payments and thousands of directly affected organizations.

In Q1 2025, Cl0p surpassed LockBit as the most prolific ransomware group by volume of publicly disclosed breaches. NCC Group's 2025 annual report ranked Cl0p third overall for the year with 517 attacks. The group ranked as the third most active ransomware operation globally throughout 2025, behind Qilin and Akira.

critical

Cl0p remains highly active into 2026. In late 2024, the group exploited zero-day vulnerabilities in Cleo MFT products (CVE-2024-50623, CVE-2024-55956), compromising over 200 organizations. In August-October 2025, a campaign targeting Oracle E-Business Suite via CVE-2025-61882 affected at least 29 named victims including Logitech, Harvard University, The Washington Post, Schneider Electric, and Broadcom. The group continues to discover and weaponize new zero-days in enterprise software.

Organizational Relationship: TA505, FIN11, and Cl0p

The relationship between TA505, FIN11, and Cl0p is complex and the subject of ongoing debate in the threat intelligence community. CISA and the FBI have stated that Cl0p and TA505 refer to the same group, but Mandiant considers FIN11 a subset of TA505, with specific threat clusters (UNC2546, UNC2582, UNC4857) merged into FIN11. Google Threat Intelligence Group (GTIG) has also noted that the Cl0p brand and data leak site may not be exclusively used by FIN11, suggesting the operation may involve expanded membership or partnerships. CrowdStrike tracks the group as Graceful Spider, while Microsoft uses Lace Tempest and Spandex Tempest.

Beyond Cl0p, TA505's criminal activities include initial access brokering, large-scale phishing and malspam distribution using malware families like Dridex and Locky, financial fraud, and botnet operations. TA505 is estimated to have compromised more than 3,000 U.S.-based organizations across its full operational history and is considered one of the largest phishing and malspam distributors worldwide.

Operational Model: Data Theft Over Encryption

While Cl0p was initially deployed as traditional double-extortion ransomware (encrypt files + threaten to leak stolen data), the group has progressively shifted since 2021 toward a pure data theft and extortion model. In recent campaigns, the group does not deploy ransomware encryption at all. Instead, it exploits zero-day vulnerabilities to gain access, rapidly exfiltrates data, and then sends extortion emails to executives at victim organizations threatening to publish stolen data on the CL0P^_- LEAKS site unless a ransom is paid. This approach reduces operational complexity, minimizes detection risk, and allows the group to scale victimization massively.

Target Profile

Cl0p's supply-chain exploitation model means that its victim pool is determined by whoever uses the targeted software platform. Victims span nearly every industry and geographic region, with a consistent preference for organizations with over $5 million in annual revenue.

Enterprise File Transfer Software Users: The primary target category. Any organization running Accellion FTA, GoAnywhere MFT, MOVEit Transfer, Cleo Harmony/VLTrader/LexiCom, or Oracle E-Business Suite has been at risk during respective campaigns. This has included banks, hospitals, universities, government agencies, law firms, retailers, and manufacturers.
Financial Services: Banking and financial institutions are consistently targeted. Cl0p ransom demands typically range from a few hundred thousand to $10 million, calibrated to the victim's perceived ability to pay.
Government Agencies: Multiple U.S. federal and state agencies were affected by the MOVEit campaign. Cl0p publicly claimed to have erased government data and stated no interest in exposing government information, though the veracity of this claim is unverified.
Healthcare & Education: The MOVEit campaign impacted national healthcare systems and numerous universities. The Oracle EBS campaign hit Harvard University and Wits University in South Africa. Despite claims of humanitarian restraint, healthcare organizations have appeared on the Cl0p leak site.
Supply Chain & Logistics: The Cleo campaign disproportionately affected supply chain and logistics companies, accounting for roughly 20% of listed victims. High-profile targets included Blue Yonder, a Panasonic subsidiary providing supply chain services to Fortune 500 companies.
Technology & Manufacturing: Major enterprises including Broadcom, Schneider Electric, Logitech, Emerson, and Copeland have been named as victims in the Oracle EBS campaign.

Tactics, Techniques & Procedures

Cl0p's operational model has evolved significantly over time. Early campaigns used traditional phishing and ransomware deployment, while current operations focus almost exclusively on zero-day exploitation of enterprise platforms for mass data theft. The following TTPs reflect the group's full operational history.

mitre id	technique	description
T1190	Exploit Public-Facing Application	Core technique. Zero-day exploitation of internet-facing file transfer platforms and ERP systems: Accellion FTA (CVE-2021-27101 through 27104), SolarWinds Serv-U (CVE-2021-35211), GoAnywhere MFT (CVE-2023-0669), MOVEit Transfer (CVE-2023-34362), Cleo products (CVE-2024-50623, CVE-2024-55956), Oracle EBS (CVE-2025-61882).
T1505.003	Web Shell	Custom web shells deployed on compromised platforms: DEWMODE (PHP, targeting Accellion FTA), LEMURLOOT (C#, targeting MOVEit Transfer), Malichus (Java, targeting Oracle EBS). Each is purpose-built for the specific target platform.
T1566	Phishing	Large-scale spearphishing campaigns used in earlier operations (2019-2020). Emails delivered macro-enabled documents using Get2 malware dropper to install SDBot and FlawedGrace. More recent campaigns use extortion emails sent from compromised third-party accounts.
T1078	Valid Accounts	Compromised RDP credentials used for direct network access in earlier campaigns. In MOVEit exploitation, LEMURLOOT web shell creates unauthorized administrative accounts that persist even after server rebuilds if the database remains intact.
T1059	Command and Scripting Interpreter	PowerShell and Bash commands executed via exploited file transfer platforms. Cleo exploitation leveraged the Autorun directory to import and execute arbitrary commands without authentication.
T1048	Exfiltration Over Alternative Protocol	Rapid, large-scale data exfiltration from compromised file transfer platforms. Stolen data volumes range from hundreds of gigabytes to terabytes. In the Oracle EBS campaign, data was exfiltrated from ERP environments containing sensitive business and financial records.
T1486	Data Encrypted for Impact	Cl0p ransomware encrypts files using RSA-2048 and RC4, appending .Clop or .CIOP extensions. Terminates security, database, and backup processes before encryption. However, encryption has been used less frequently in campaigns since 2021, with the group favoring pure data theft.
T1489	Service Stop	Terminates processes related to security tools, databases (SQLSERVR.EXE, ORACLE.EXE), and backup services before encryption to prevent file locking and ensure successful data manipulation.
T1490	Inhibit System Recovery	Deletes Volume Shadow Copy Service (VSS) snapshots, backup files, and event logs to prevent victim recovery and hinder forensic investigation.
T1553.002	Code Signing	Cl0p binaries have been digitally signed with verified certificates to bypass security software and appear as legitimate executables.

Known Campaigns

Cl0p's major campaigns follow a consistent pattern: discover a zero-day in widely deployed enterprise software, mass-exploit it to exfiltrate data, then systematically extort victims weeks later.

Accellion FTA Exploitation DEC 2020 – MAR 2021

Exploited four zero-day vulnerabilities (CVE-2021-27101 through CVE-2021-27104) in Accellion's legacy File Transfer Appliance. Deployed DEWMODE web shell to exfiltrate data from over 100 organizations, including major universities, banks, and government agencies. No encryption was deployed; pure data theft and extortion via the Cl0p leak site.

SolarWinds Serv-U Exploitation 2021

Exploited CVE-2021-35211 in SolarWinds Serv-U FTP software for remote code execution, enabling data theft from targeted organizations.

GoAnywhere MFT Exploitation JAN – FEB 2023

Exploited CVE-2023-0669, a zero-day in Fortra's GoAnywhere MFT platform. Cl0p claimed to have exfiltrated data from approximately 130 victims over a 10-day period. No lateral movement into victim networks was identified, suggesting the breach was limited to the GoAnywhere platform itself. Victims included Hitachi Energy, Hatch Bank, and the City of Toronto.

MOVEit Transfer Exploitation MAY – JUN 2023

The group's largest and most impactful campaign. Exploited CVE-2023-34362, a SQL injection zero-day in Progress Software's MOVEit Transfer. Deployed the LEMURLOOT web shell to steal data from underlying databases. Impacted over 2,500 organizations and exposed data belonging to tens of millions of individuals. Victims included the BBC, British Airways, Shell, Sony, Siemens Energy, PwC, EY, multiple U.S. federal agencies, and numerous healthcare and educational institutions. CISA and the FBI issued a joint advisory (#StopRansomware: AA23-158A). The U.S. State Department offered a $10 million reward for information on Cl0p leaders.

Cleo MFT Exploitation OCT 2024 – JAN 2025

Exploited CVE-2024-50623 and CVE-2024-55956, zero-day vulnerabilities in Cleo Harmony, VLTrader, and LexiCom managed file transfer products. An initial patch released in October 2024 was found to be insufficient. Over 200 organizations were compromised, with approximately 1,700 servers observed under attack. Victims disproportionately affected supply chain and logistics sectors. Named victims included Blue Yonder (Panasonic subsidiary), with downstream impact to Starbucks and other major enterprises.

Oracle E-Business Suite Exploitation AUG – OCT 2025

Exploited CVE-2025-61882 (CVSS 9.8), a critical zero-day in Oracle E-Business Suite's BI Publisher Integration component, enabling unauthenticated remote code execution. Exploitation began as early as August 9, 2025, weeks before Oracle released patches on October 4-5. A coordinated extortion email campaign targeted executives at dozens of organizations starting September 29. At least 29 organizations were named on the Cl0p leak site, including Logitech, The Washington Post, Harvard University, Schneider Electric, Broadcom, American Airlines subsidiary Envoy Air, and Cox Enterprises. Google GTIG and Mandiant provided detailed technical analysis of the multi-stage Java implant framework used in the campaign.

Tools & Malware

Known custom and commodity tools associated with Cl0p and its parent TA505/FIN11 operation.

Cl0p Ransomware: The group's namesake encryption payload, evolved from CryptoMix. Uses RSA-2048 and RC4 encryption. Appends .Clop or .CIOP extensions. Digitally signed binaries. Terminates security, database, and backup processes. Used less frequently in recent campaigns as the group shifted to pure data extortion.
DEWMODE: Custom PHP web shell designed specifically for Accellion FTA devices. Interacts with the underlying MySQL database to enumerate and exfiltrate stored files.
LEMURLOOT: Custom C# web shell targeting MOVEit Transfer. Authenticates incoming HTTP requests via hard-coded password. Downloads files from MOVEit databases, creates unauthorized administrative accounts, and executes operating system commands.
Malichus: Java-based malware payload deployed during the Cleo MFT exploitation campaign. Used to establish backdoor access and facilitate data exfiltration from compromised Cleo servers.
Oracle EBS Java Implant Framework: Multi-stage Java implant framework used in the 2025 Oracle E-Business Suite campaign. Analyzed by Google GTIG and Mandiant. Deployed through exploitation of CVE-2025-61882 and supplementary vulnerabilities.
FlawedGrace / SDBot: Remote access trojans used in earlier TA505 phishing campaigns. SDBot was used for data collection and exfiltration. FlawedGrace provided persistent backdoor access.
Truebot: First-stage downloader attributed to the Silence hacking group, used by TA505 to collect system information, take screenshots, and download additional payloads including FlawedGrace and Cobalt Strike beacons.
Get2 Malware Dropper: Loader used in early Cl0p phishing campaigns to deliver SDBot and FlawedGrace payloads via macro-enabled documents.
Cobalt Strike: Used to expand network access after gaining entry to Active Directory servers in earlier pre-2021 campaigns involving traditional lateral movement.

Indicators of Compromise

Publicly available IOCs from CISA advisories and threat intelligence reports. Cl0p's reliance on zero-day exploitation of enterprise platforms means IOCs are often platform-specific.

warning

Cl0p campaigns target specific enterprise platforms with purpose-built tools. IOCs from one campaign (e.g., MOVEit) are not applicable to another (e.g., Oracle EBS). Organizations should consult the specific CISA advisory and vendor guidance for each targeted platform. Cross-reference with live threat intel feeds before taking defensive action.

known cves exploited

cve CVE-2021-27101 through CVE-2021-27104 — Accellion FTA (SQL Injection, SSRF, RCE)

cve CVE-2021-35211 — SolarWinds Serv-U FTP Remote Code Execution

cve CVE-2023-0669 — Fortra GoAnywhere MFT Pre-Authentication RCE

cve CVE-2023-34362 — Progress MOVEit Transfer SQL Injection

cve CVE-2024-50623 — Cleo Harmony/VLTrader/LexiCom Unrestricted File Upload (CVSS 8.8)

cve CVE-2024-55956 — Cleo Harmony/VLTrader/LexiCom Unauthenticated RCE (CVSS 9.8)

cve CVE-2025-61882 — Oracle E-Business Suite BI Publisher RCE (CVSS 9.8)

cve CVE-2025-61884 — Oracle E-Business Suite (supplementary to CVE-2025-61882)

web shell indicators

web shell DEWMODE (PHP) — Accellion FTA targeting

web shell LEMURLOOT (C#) — MOVEit Transfer targeting; authenticates via hard-coded password

malware Malichus (Java) — Cleo MFT backdoor payload

extortion Ransom emails from support@pubstorm.com and support@pubstorm.net (Oracle EBS campaign, 2025)

Mitigation & Defense

Recommended defensive measures based on CISA, FBI, and vendor-specific advisories for organizations in Cl0p's target profile.

Patch file transfer and ERP platforms immediately: Cl0p's entire model depends on exploiting unpatched internet-facing applications. Apply all critical patches for MOVEit Transfer, Cleo Harmony/VLTrader/LexiCom, GoAnywhere MFT, Oracle EBS, and any other enterprise file transfer software as soon as they are released. Prioritize emergency patches over change management windows.
Minimize internet exposure of file transfer platforms: Remove file transfer applications from the public internet wherever possible. Place them behind VPNs, zero-trust access controls, or network segmentation. Cl0p's mass-exploitation model targets internet-facing instances specifically.
Audit for unauthorized accounts and web shells: After any patch application to file transfer software, conduct forensic investigation to determine if compromise occurred during the vulnerability window. Check for LEMURLOOT-created admin accounts in MOVEit databases, DEWMODE web shells on Accellion FTA, and Malichus payloads on Cleo servers. Rebuilding the web server alone is insufficient if the database retains compromised accounts.
Monitor for data exfiltration: Deploy DLP controls and network monitoring to detect anomalous outbound data transfers from file transfer platforms. Cl0p typically exfiltrates large volumes of data (hundreds of GB to TB) before initiating extortion. Early detection of exfiltration may limit exposure.
Filter extortion emails: Cl0p sends mass extortion emails to executives at victim organizations from compromised third-party accounts and newly registered addresses. Configure email security to filter known Cl0p extortion indicators and train executives to recognize and report extortion attempts.
Maintain offline, tested backups: While Cl0p has shifted toward pure data theft, the ransomware variant remains available and deployed in select campaigns. Maintain offline, air-gapped backup copies and regularly test restoration procedures.
Participate in threat intelligence sharing: Cl0p campaigns often unfold over weeks between initial exploitation and extortion contact. Organizations should subscribe to CISA alerts, vendor security advisories, and sector-specific ISACs to receive early warning of new Cl0p campaigns.
Review and restrict enterprise software supply chain: Assess all third-party file transfer and ERP solutions for internet exposure and patch status. Cl0p's operational model targets the software supply chain; any widely deployed enterprise platform with internet-facing components is a potential target.

note

Cl0p campaigns follow a predictable cadence: zero-day exploitation and data theft weeks or months before extortion contact. Organizations that applied patches within the vulnerability window may still have been compromised before the patch was available. Forensic investigation is essential for any organization that ran affected software during the exploitation period, regardless of current patch status. The Oracle EBS vulnerability was exploited for at least two months before patches were released.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile