CLOP
Clop (also stylized as Cl0p or CL0P) is a ransomware-as-a-service (RaaS) operation run by a Russian-speaking cybercriminal group, primarily known for deploying the Cl0p ransomware variant that encrypts victims' files using a combination of symmetric ciphers like RC4 or AES and asymmetric encryption such as RSA, varying by variant, while employing double extortion by stealing and threatening to leak sensitive data on their dark web site, Cl0p^_-LEAKS.[1][2][3] The malware appends a ".cl0p" extension to affected files and targets Windows environments, often spreading across networks via Active Directory to maximize impact.[2][4] Evolving from the earlier CryptoMix ransomware family, Clop first emerged in February 2019 and is associated with the notorious TA505 cybercrime syndicate, which has a history of distributing various malware strains.[1][3][4] The group typically avoids targeting organizations in Russian-speaking countries and has been responsible for compromising thousands of organizations worldwide, including over 2,000 in the 2023 MOVEit campaign affecting sectors like government, healthcare, finance, retail, and education.[1][3] By 2021, their operations had reportedly generated at least $500 million in ransom payments, though they shifted toward data exfiltration over pure encryption in subsequent years.[3] Clop's campaigns frequently exploit zero-day vulnerabilities in file transfer and management software for initial access, using tools like web shells (e.g., LEMURLOOT, DEWMODE), remote access trojans (e.g., FlawedAmmyy, Cobalt Strike), and malware loaders (e.g., Truebot, SDBot) to maintain persistence and exfiltrate data.[1][3][4] Notable incidents include the 2020 Accellion FTA attacks compromising organizations like Shell and universities; the 2023 MOVEit Transfer zero-day exploitation (CVE-2023-34362) that impacted over 2,000 entities and 62 million individuals; the 2024 Cleo Harmony/Helix supply chain breaches leading to massive data leaks; and a 2025 campaign targeting Oracle E-Business Suite via a zero-day flaw (CVE-2025-61882), affecting nearly 30 organizations including the Washington Post (impacting nearly 10,000 individuals) and the UK National Health Service as of November 2025.[1][2][4] In response to such threats, U.S. authorities offered a $10 million reward in 2023 for information leading to the disruption of the group.[2]Overview
Description
Clop, stylized as Cl0p to evade detection mechanisms, is a cybercriminal group specializing in ransomware attacks and double extortion tactics that combine file encryption with data theft to pressure victims.[2][5] This operation employs a Ransomware-as-a-Service (RaaS) model, distributing its malware to affiliates who conduct intrusions and share profits from successful extortions.[6] The Clop ransomware variant, derived from the earlier CryptoMix family, targets Windows systems and encrypts files using a combination of AES-256, RSA, and in some variants RC4 algorithms, appending the .clop extension to affected files.[2][6][5][4] Upon infection, it generates ransom notes—typically named README.TXT, ClopReadMe.txt, or similar—demanding payment in Bitcoin for decryption keys and emphasizing the consequences of non-payment, including data exposure.[2][6] To enhance stealth, the malware incorporates features like process killing to disable security tools, virtual environment detection avoidance, and code signing with verified digital signatures.[6][2] Clop's operational style prioritizes data exfiltration prior to encryption, stealing sensitive information such as intellectual property, financial records, and personal data using tools like rclone or MegaSync before locking files.[5] If ransoms remain unpaid, the group publicizes stolen data on its Tor-based "name-and-shame" leak site, Cl0p^_-Leaks, launched in March 2020, to amplify extortion pressure.[6][5] Active since its first detection in February 2019, Clop has targeted thousands of organizations worldwide, with over 3,000 compromised entities in the United States alone and global victims impacting millions across diverse sectors including healthcare, finance, government, education, and manufacturing.[2][6][1] Its campaigns have caused substantial financial damages, with estimates indicating revenues exceeding $500 million by 2021, and hundreds of millions more from subsequent high-profile exploits.[5][3]Origins and Evolution
Clop ransomware first emerged in early 2019 as a rebranded variant of the CryptoMix ransomware family, initially distributed through large-scale spear-phishing campaigns orchestrated by the Russian-speaking cybercrime group TA505 (also known as FIN11).[2][3][6] This evolution from CryptoMix involved retaining core encryption mechanisms while introducing a distinctive .cl0p file extension and ransom notes demanding payment in Bitcoin.[2] TA505, a prolific threat actor known for malware distribution, leveraged Clop in malspam operations that compromised thousands of organizations globally, marking its debut as a financially motivated tool.[1] Key evolutionary phases for Clop occurred in 2020, when it transitioned from pure file encryption to a double extortion model, exfiltrating sensitive data before encryption and threatening public leaks on its Tor-based "CL0P^_-LEAKS" site if ransoms went unpaid.[3][6] This shift, launched around March-April 2020, amplified its impact by increasing pressure on victims beyond data recovery.[3] By mid-2020, Clop fully adopted a Ransomware-as-a-Service (RaaS) model, enabling affiliates on the dark web to deploy it for a share of profits, which expanded its reach through diverse initial access brokers.[2][1] Notable malware updates in subsequent years integrated advanced evasion techniques to counter detection efforts, including digitally signed binaries to mimic legitimate software and bypass antivirus scanners.[6][7] Clop also incorporated anti-analysis tools, such as virtual machine detection to halt execution in sandboxes, and polymorphic code variants that altered file extensions and ransom note formats across iterations.[6][7] These enhancements allowed the malware to persist despite evolving defenses. Internal changes within the TA505 group in 2021, including the arrest of six alleged members in Ukraine, prompted leadership shifts that refocused operations on more aggressive global targeting through zero-day exploits.[3] This restructuring followed a temporary slowdown but led to a resurgence, with rumors of group dissolution circulating in 2022 amid reduced activity; however, Clop operations rebounded strongly thereafter, maintaining its RaaS structure through 2025 with a focus on supply chain vulnerabilities and zero-day exploits. In recent years, Clop has increasingly prioritized data exfiltration and extortion over traditional encryption.[3][8][4]Operations and Tactics
Ransomware-as-a-Service Model
Clop operates as a Ransomware-as-a-Service (RaaS) provider, where the core operators develop and maintain the ransomware infrastructure, supplying a toolkit to affiliates who execute the attacks on victim networks.[1] Affiliates, often experienced cybercriminals, handle initial access, deployment, and ransom collection, receiving a majority of the proceeds in a typical RaaS revenue-sharing arrangement while Clop developers retain a portion to cover development and support costs.[9] This model allows Clop to scale operations without direct involvement in every intrusion, leveraging a distributed network of partners similar to other Russian-speaking RaaS groups.[3] Affiliate recruitment occurs through underground cybercriminal networks, where Clop operators target individuals with proven track records in cybercrime, including initial access brokers and exploit developers.[10] Potential affiliates undergo vetting to ensure reliability, focusing on those capable of breaching high-value targets while adhering to operational guidelines, such as avoiding attacks on organizations in Russian-speaking countries.[9] The provided toolkit features customizable encryptors for file encryption across networks, exfiltration utilities like the DEWMODE web shell for data theft prior to encryption, and dedicated infrastructure for hosting leak sites, including the Cl0p^_-Leaks portal to publicize stolen information.[3] Additional components include remote access tools such as Cobalt Strike and SDBot for persistence, enabling affiliates to tailor attacks to specific environments while benefiting from developer-provided updates and technical support.[1] Clop sustains its RaaS operations through rigorous operational security practices, such as deploying digitally signed binaries to evade detection and clearing system logs to hinder forensic analysis.[3] Frequent updates to the malware codebase and tactics, techniques, and procedures (TTPs) help circumvent antivirus solutions and adapt to defensive measures, as seen in responses to law enforcement disruptions like the 2021 arrests of alleged members.[3] The group avoids exit scams by prioritizing reputation management, fostering trust among affiliates through consistent payouts and transparent rules, which supports long-term profitability in the competitive RaaS ecosystem.[9] As of 2025, Clop's tactics continue to emphasize exploitation of zero-day vulnerabilities in managed file transfer and enterprise software for initial access and data exfiltration.[1]Extortion and Data Theft Methods
Clop ransomware operators employ a double extortion strategy, beginning with initial network infiltration through methods such as phishing emails or exploitation of unpatched vulnerabilities, followed by extensive data exfiltration—often involving terabytes of sensitive information—before deploying encryption as an additional layer of leverage to compel payment.[1][6][4] This process allows attackers to deny victims access to their data while simultaneously threatening public disclosure of stolen materials, increasing pressure regardless of whether decryption is sought.[11][7] For initial access and lateral movement, Clop actors frequently utilize tools like Cobalt Strike beacons to expand network footholds and conduct reconnaissance, alongside custom malware variants such as FlawedAmmyy (also known as FlawedGrace) and SDBot remote access trojans (RATs) for persistent control and data collection.[1][6][11] Data exfiltration is facilitated by specialized payloads, including web shells like DEWMODE and LEMURLOOT, which enable interaction with databases and bulk theft from targeted systems.[1][6] These operations often target unpatched vulnerabilities in file transfer software, such as SQL injection flaws in legacy appliances, allowing attackers to deploy backdoors for sustained access and theft without immediate detection.[11][4][7] To enforce compliance, Clop employs aggressive psychological tactics, issuing ransom demands typically starting in the millions of U.S. dollars and payable in cryptocurrency, with negotiations conducted via unique victim-specific URLs or email threads directed at executives.[6][7] Unpaid ransoms trigger timed data leaks on a dedicated Tor-based site, Cl0p^_-LEAKS, where portions of exfiltrated information are progressively published to escalate reputational damage and urgency, sometimes accompanied by auctions of the remaining data.[1][11][6] Evasion is prioritized through obfuscated command-and-control (C2) communications, often routed via proxies and tools like TinyMet to mask attacker infrastructure, while custom scripts disable endpoint security, delete backups, and apply techniques such as application shimming or DLL side-loading to bypass antivirus detection.[1][11][4] These methods integrate with Clop's Ransomware-as-a-Service model, where affiliates share profits from successful extortions.[11]Notable Campaigns
Early Exploits (2019–2022)
Cl0p ransomware first emerged in February 2019 as a variant of the CryptoMix malware, operated by the cybercriminal group TA505, and initially targeted small and medium-sized businesses through malvertising campaigns and spear-phishing emails that delivered payloads like SDBot and FlawedGrace to Windows systems.[12][3][13] Early infections relied on malicious email attachments and compromised websites to gain initial access, with the ransomware encrypting files and appending the .clop extension while displaying ransom notes demanding payments typically in Bitcoin.[3] These initial demands were relatively modest compared to later operations, focusing on quick payouts from less defended targets to establish the group's foothold.[4] In 2020, Cl0p expanded its scope to larger enterprises, capitalizing on COVID-19-related supply chain disruptions that heightened vulnerabilities in remote work environments and essential services.[4] Notable attacks included a pharmaceutical company in April, where data theft preceded encryption, marking an early shift toward double extortion tactics that combined file locking with threats to leak stolen information.[3] The group also targeted healthcare providers in Europe, exploiting the sector's strained resources during the pandemic to demand ransoms in the millions, as seen in infections affecting U.S. healthcare entities as well.[12][4] By mid-2020, Cl0p launched its dark web leak site, "Cl0p^_-Leaks," to publicize stolen data from non-paying victims, enhancing pressure and notoriety.[12][3] From 2021 to 2022, Cl0p intensified operations against U.S. critical infrastructure, including energy and manufacturing sectors, with attacks on organizations like Shell in 2021 that disrupted operations and led to significant extortion attempts.[4] The group increasingly used Qakbot malware as an initial access vector starting in 2020 and continuing through this period, facilitating lateral movement via tools like Cobalt Strike and FlawedAmmyy.[12] By late 2021, Cl0p had claimed over 100 victims globally, with total ransom payouts exceeding $500 million and average demands reaching approximately $220,000 in the first quarter of that year alone.[12][3] Exploits of vulnerabilities, such as in Accellion file transfer appliances (CVE-2021-27101) and SolarWinds Serv-U in November 2021, enabled broader network compromises.[3][13] During this early phase, Cl0p refined its leak site operations, beginning public data dumps in early 2020 but escalating in late 2021 with more structured releases to build operational notoriety and deter non-payment, laying the groundwork for its ransomware-as-a-service model and double extortion evolution.[4][3]MOVEit Transfer Breach (2023)
In May 2023, the Clop ransomware group exploited a zero-day SQL injection vulnerability (CVE-2023-34362) in Progress Software's MOVEit Transfer file transfer application, enabling unauthorized access to database files containing sensitive user data.[1][14] This critical flaw, present in versions including 2021.0 through 2023.0, allowed attackers to execute remote code and deploy a custom web shell known as LEMURLOOT (disguised as human2.aspx) for persistent access and data exfiltration.[15][16] The campaign began with mass scanning for vulnerable internet-facing MOVEit instances as early as May 15–22, 2023, followed by widespread exploitation starting May 27–28, before Progress Software publicly disclosed the issue on May 31.[17][16] Clop affiliates, operating under the group's ransomware-as-a-service model, targeted over 2,500 exposed servers identified via tools like Shodan, injecting SQL commands through the moveitisapi.dll component to extract files without deploying traditional ransomware encryption.[15] On June 5, 2023, Clop publicly claimed responsibility via their dark web leak site, threatening to release stolen data unless victims paid ransoms through negotiation channels like unlock@rsv-box[.]com.[17][1] The breach affected over 2,600 organizations across more than 60 countries, compromising data on tens of millions of individuals, including government agencies, financial institutions, and corporations.[18][19] Notable victims included British Airways, the BBC, Boots UK, and various U.S. entities such as pension providers and the Department of Energy, where exfiltrated data encompassed personal records like names, Social Security numbers, and financial details— for instance, millions of rows from U.S. pension funds were stolen in targeted extractions.[16][20] Progress Software issued an initial patch on June 9, 2023, but subsequent vulnerabilities (e.g., CVE-2023-35036) were disclosed, leading to partial mitigations and ongoing exploitation attempts.[16] Clop continued leaking data from non-paying victims on their Tor-based CL0P^_-LEAKS site into late 2023, with over 420 victims listed as of July 2023 and ransoms negotiated individually to avoid publication.[1][21] Analysts estimated the operation could yield up to $100 million in extortion payments for Clop, based on a small number of high-value settlements amid the campaign's scale.[22][23]Oracle E-Business Suite Exploitation (2025)
In September 2025, the Clop ransomware group initiated a widespread extortion campaign targeting Oracle E-Business Suite (EBS), exploiting a zero-day vulnerability designated as CVE-2025-61882, which allowed unauthorized remote access to sensitive data without authentication.[24] This flaw, part of a series addressed in Oracle's July 2025 Critical Patch Update but actively exploited prior to full disclosure, enabled attackers to steal executive credentials, customer records, and financial information from unpatched EBS instances.[25] The campaign echoed tactics used in Clop's prior MOVEit Transfer breaches, such as mass exploitation of supply chain software for data exfiltration.[26] Extortion emails began circulating on September 29, 2025, with Clop claiming to have compromised over 1,000 EBS instances and exfiltrated terabytes of data, including personal identifiable information and proprietary documents.[25] By October 2025, the group demanded ransoms of up to $50 million per victim to prevent data publication on their leak site.[27] Notable victims confirmed as of November 2025 include The Washington Post, where nearly 10,000 employee and contractor records—containing Social Security numbers and banking details—were stolen; Logitech; Cox Enterprises; Harvard University; Envoy Air; and the UK National Health Service (NHS).[27] Clop's dedicated leak site listed over 30 entities by mid-November, spanning sectors like media, manufacturing, education, aviation, and healthcare, with initial data dumps from at least 18 victims totaling hundreds of gigabytes to terabytes.[28][29] Google Threat Intelligence and Mandiant attributed the operation to Clop based on consistent tactics, techniques, and procedures (TTPs), including high-volume phishing from compromised email accounts and exploitation of internet-facing EBS servers via endpoints like/OA_HTML/configurator/UiServlet.[25] In response, Oracle issued emergency patches for CVE-2025-61882 and a related flaw (CVE-2025-61884) on October 4 and 11, 2025, respectively, urging immediate application to mitigate ongoing risks.[24] As of November 15, 2025, the campaign remains active, with continued data releases from non-paying victims and warnings from cybersecurity firms like CrowdStrike about persistent scanning for vulnerable systems.[30]