Clop (sometimes referred to as Cl0p) ransomware was first identified in 2019 and operates in the double extortion method, where victims’ data is stolen and leaked via a data leak site if the ransom is not paid, to their arsenal. Clop is purportedly derived from the Cryptomix ransomware operation; it is widely believed that the group’s name originates from a Russian “klop”, which means “bed bug.”
Clop operators have gained notoriety over the previous five years for exploiting high-profile vulnerabilities to conduct large-scale supply chain attacks targeting hundreds to thousands of victims. In these cases, the group has reportedly avoided encryption and focused their efforts on stealing sensitive information that can be used to extort the victims, their partners, and clients.
- In December 2020, Clop operators exploited Accellion FTA zero-day vulnerabilities (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104) to breach up to 100 companies using Accellion’s legacy File Transfer Appliance. The group used the DEWMODE web shell to exfiltrate sensitive data and then threatened to leak the data if the ransom was not paid. This attack was attributed to the FIN11 affiliate of the Clop ransomware operation.
In February 2023, Clop operators exploited CVE-2023-0669 in Fortra’s GoAnywhere MFT secure transfer tool to gain RCE on unpatched instances. The Clop operators reportedly stole data from compromised victims, including 130 companies, over a period of 10 days. The group then listed organizations that refused to pay a ransom on their data leak site.
- In May 2023, Clop operators exploited CVE-2023-34362 in Progress MOVEit Transfer solution to exfiltrate data from thousands of companies – researchers have estimated 2,000 victims. The attacks began on May 27, 2023, and victims were named on the group’s data leak site beginning on June 14, 2023. The group reportedly deleted any data stolen from governments, military organizations, and children’s hospitals during the attacks; however, it is not known if that is true. In the previous Accellion and GoAnywhere attacks, the operators emailed their extortion demands to the victims. In the MOVEit attacks, the group required the victims to make contact with the group to begin negotiations of a ransom demand.
- In December 2024, Clop operators claimed responsibility for targeting and exploiting zero-day vulnerabilities in Cleo Harmony, VLTrader, and LexiCom file transfer platforms. In October an unrestricted file uplaods and downloads vulnerability, CVE-2024-50623 was patched in the software; in December 2024 the patch was found to be insufficient. Threat actors were able to exploit another zero-day, CVE-2024-55956, to conduct data theft attacks.
- In October 2025, Clop was attributed with targeting multiple organizations via a critical zero-day vulnerability impacting Oracle’s E-Business Suite (EBS), CVE-2025-61882. The group was reported to have been targeting the vulnerability since at least August 2025. The group reportedly began sending emails to executives at victim companies in early October.
- In late November 2025, Clop reportedly exploited a vulnerability, CVE-2025-14611, to target dozens of victims in data exfiltration attacks. Researchers reported more than 200 exposed “CentreStack – Login” portal, indicating these were active targets. Technical analysis revealed the exploitation involved unauthenticated local file inclusion to extract machine keys, followed by ViewState deserialization attacks that enable remote code execution, persistent access, and theft of sensitive corporate files. This activity aligns with Clop’s long-standing pattern of abusing vulnerabilities to maximize data exfiltration while avoiding the traditional ransomware deployment.
These attacks target high-profile victims, including institutions like Dartmouth. At Dartmouth alone, attackers stole 226 GB of personal data bank account numbers, Social Security numbers, and birth dates between August 9–12, 2025, which was discovered when Clop posted stolen files to its dark web leak portal. Following their previous techniques, Clop relied on data‑theft extortion, leveraging the zero‑day to directly access and extract files without triggering typical ransomware indicators.
In January 2026, Clop published 43 global victims to its leak site within a 24-hour period. Targets included Hilton, The Weather Company (Weather.com), multiple law firms, MSPs, construction firms, financial institutions, and educational institutions across the U.S., U.K., Europe, Canada, and New Zealand. This spike highlights Clop’s automation of reconnaissance and victim enumeration, likely using broad Internet wide scanning to identify exploitable systems at scale. The diversity of victims and industries suggests Clop continues its “mass opportunistic extortion” rather than sector specific targeting.
In 2023, The U.S. State Department’s Rewards for Justice program announced up to a $10 million bounty for information linking the Clop ransomware attacks to a foreign government. The bounty was announced after the Clop ransomware group claimed responsibility for data theft attacks on companies using the MOVEit Transfer platform.
In 2021, an international law enforcement operation, including 19 agencies and 17 countries, led to the apprehension of six purported Clop members. The operation was a 30-month investigation into attacks against South Korean companies and U.S. academic institutions. While law enforcement operations have proven successful in disruptions, the continued operations of the Clop ransomware group highlight the difficulties faced in completely shutting down a prolific ransomware operation.
