Clop Ransomware

First Identified: 2019

Threat Type:
Ransomware-as-a-Service (RaaS)

Extortion method:
Originally a double extortion group; however, since 2020, the group has focused on data extortion via large scale supply chain attacks and threatening to leak data via their data leak site if the ransom demand is not paid.

Most frequently targeted industry:

• Industrials (Manufacturing)
• Industrials (Transportation)
• Consumer Cyclicals (Retail)

Most frequently targeted victim HQ region: North America

Known Associates:

• CryptoMix Ransomware
• FIN7
• FIN11
• Silence Group
• TA505

Select MITRE ATT&CK Mappings

• • Initial Access
    • Valid accounts, exploitation of remote services, vulnerability exploitation, supply chain compromise, social engineering (MITRE ATT&CK: T1078, T1133, T1190, T1195, T1566)
  • Persistence
    • Boot or logon initialization scripts, scheduled tasks, account manipulation, create account, office application startup, server software component, create/modify system processes, event triggered execution, boot or logon autostart execution (MITRE ATT&CK: T1505, T1543, T1546, T1547)
  • Lateral Movement
    • Exploitation of remote services, use alternate authentication method, remote service session hijacking, RDP, lateral tool transfer (MITRE ATT&CK: T1021, T1550, T1563, T1570)

Clop (sometimes referred to as Cl0p) ransomware was first identified in 2019 and, in 2020, added the double extortion method, where victims’ data is stolen and leaked via a data leak site if the ransom is not paid, to their arsenal. Clop is purportedly derived from the Cryptomix ransomware operation; it is widely believed that the group’s name originates from a Russian “klop”, which means “bed bug.” The group was identified after launching a large-scale phishing campaign that used a verified and digitally signed binary, which made it look like a legitimate executable file.

Clop operators have gained notoriety over the previous four years for exploiting high-profile vulnerabilities to conduct large scale supply chain attacks targeting hundreds to thousands of victims. In these cases, the group has reportedly avoided encryption and focused their efforts on stealing sensitive information that can be used to extort the victims, their partners, and clients.

• In December 2020, Clop operators exploited Accellion FTA zero-day vulnerabilities (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104) to breach up to 100 companies using Accellion’s legacy File Transfer Appliance. The group used the DEWMODE web shell to exfiltrate sensitive data and then threatened to leak the data if the ransom was not paid. This attack was attributed to the FIN11 affiliate of the Clop ransomware operation.
• In February 2023, Clop operators exploited CVE-2023-0669 in Fortra’s GoAnywhere MFT secure transfer tool to gain RCE on unpatched instances. The Clop operators reportedly stole data from compromised victims, including 130 companies, over a period of 10 days. The group then listed organizations that refused to pay a ransom on their data leak site.
• In May 2023, Clop operators exploited CVE-2023-34362 in Progress MOVEit Transfer solution to exfiltrate data from thousands of companies – researchers have estimated 2,000 victims. The attacks began on May 27, 2023, and victims were named on the group’s data leak site beginning on June 14, 2023. The group reportedly deleted any data stolen from governments, military organizations, and children’s hospitals during the attacks; however, it is not known if that is true. In the previous Accellion and GoAnywhere attacks, the operators emailed their extortion demands to the victims. In the MOVEit attacks, the group required the victims to make contact with the group to begin negotiations of a ransom demand.
• In December 2024, Clop operators claimed responsibility for targeting and exploiting zero-day vulnerabilities in Cleo Harmony, VLTrader, and LexiCom file transfer platforms. In October an unrestricted file uplaods and downloads vulnerability, CVE-2024-50623 was patched in the software; in December 2024 the patch was found to be insufficient. Threat actors were able to exploit another zero-day, CVE-2024-55956, to conduct data theft attacks.
• In October 2025, Clop was attributed with targeting multiple organizations via a critical zero-day vulnerability impacting Oracle’s E-Business Suite (EBS), CVE-2025-61882. The group was reported to have been targeting the vulnerability since at least August 2025. The group reportedly began sending emails to executives at victim companies in early October. 

Similar to other operations, Clop attempts to delete backup files, Volume Shadow Copy Service, and event logs; terminate security software; and resize disk space prior to encryption (when they use the encryption feature). Ransomware binaries are specific to the victim, including an embedded 1024-bit RSA public key and a unique ransom note. The malware encrypts the data using the Windows CryptoAPI and then writes the encrypted data to a new file before deleting the original.

In 2021, an international law enforcement operation, including 19 agencies and 17 countries, led to the apprehension of six purported Clop members. The operation was a 30-month investigation into attacks against South Korean companies and U.S. academic institutions. While law enforcement operations have proven successful in disruptions, the continued operations of the Clop ransomware group highlight the difficulties faced in completely shutting down a prolific ransomware operation.

In 2023, The U.S. State Department’s Rewards for Justice program announced up to a $10 million bounty for information linking the Clop ransomware attacks to a foreign government. The bounty was announced after the Clop ransomware group claimed responsibility for data theft attacks on companies using the MOVEit Transfer platform.