THREAT ACTOR

Cl0p

7.7
THREAT LEVEL
EMERGENCE DATE
Feb 2019
CATEGORY
Hybrid Ransomware Operation
AFFILIATIONS

Operated by TA505 (also known as FIN11, Graceful Spider), established Russian-speaking cybercriminal collective. Connections to UNCA2546/UNCA2582 affiliates. Evolved from CryptoMix ransomware variant

DEscription

Cl0p emerged in February 2019, quickly establishing itself as one of the most prolific and financially successful ransomware operations globally. Operating under the Ransomware-as-a-Service (RaaS) model through the established TA505 collective, Cl0p has generated over $500 million in extorted payments and compromised more than 11,000 organizations worldwide. The group's strategic evolution from traditional encryption-based operations to sophisticated data-theft-centric campaigns targeting supply chain vulnerabilities has redefined modern tactics.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type of Actor: Ransomware-as-a-Service (RaaS)

Cl0p operates through the established TA505 collective. The group maintains a sophisticated hybrid structure where the core TA505 team handles malware development, zero-day acquisition, and infrastructure management, while an extensive affiliate network executes attacks in exchange for profit-sharing arrangements. TA505 operates multiple business models including RaaS operations, initial access broker (IAB) services, and large-scale botnet operations.

Current Status: Cl0p maintains exceptional operational tempo, becoming one of the most prolific ransomware groups globally in Q1 2025 with nearly 400 publicly named victims. The group's recent campaigns, particularly the Cleo platform exploitation affecting over 300 organizations and the MOVEit Transfer campaign compromising 130+ organizations, demonstrate continued operational expansion and technical sophistication.

Threat Level:
7.7

Origins and Methodology

This ransomware operation has rapidly matured, showcasing exceptional technical sophistication and strategic evolution. Evolved from CryptoMix ransomware, the group employs cross-platform capabilities and zero-day exploitation to target critical sectors with precision. Through multi-vector approaches and supply chain attacks, these operations reflect a high-impact strategy aimed at mass victimization across diverse technological environments.

Driven by financial motives, the strategy centers on exploiting widely-used file transfer platforms to achieve mass victimization through zero-day vulnerabilities. The group's precision in targeting high-value organizations with sensitive data, combined with aggressive extortion tactics including public data leaks and direct victim outreach, has established its position as one of the most active ransomware groups globally in 2025.

What is the Evolution of Cl0p Ransomware?
0.1
Formation

Initially, Cl0p targeted Windows systems using traditional spear-phishing campaigns with macro-enabled documents, utilizing Get2 malware dropper for delivering SDBot and FlawedGrace. The group quickly adapted its architecture to encompass zero-day exploitation of file transfer platforms.

0.2
EVOLUTION

Moving from encryption-focused operations to data-theft-centric campaigns heightened Cl0p's effectiveness against enterprise infrastructures. This progression allowed the group to emphasize high-value targets that rely on sensitive data and operational continuity.

0.3
Lineage/Connections

The existence of shared infrastructure and tactical similarities suggest strong connections between Cl0p and the broader TA505 ecosystem.

Which Unique Techniques Does Cl0p Use?

TECHNIQUE

DETAILS

Infection Vectors

For initial access, Cl0p utilizes zero-day vulnerabilities in widely-deployed file transfer platforms, spear-phishing with malicious attachments, and exploitation of public-facing applications. This approach enables mass victimization through supply chain attacks.

Target Selection

Sectors with high-value data and operational sensitivity, such as healthcare, finance, education, supply chain, and manufacturing, frequently become Cl0p's primary focus, aiming to heighten leverage within ransom negotiations.

Operational Complexity

Cl0p's campaigns are distinguished by sophisticated zero-day weaponization, multi-stage web shell deployment, and coordinated affiliate operations. To maximize impact, Cl0p systematically targets critical infrastructure and enterprise platforms, facilitating sustained access and mass data exfiltration.

Primary Coding Languages

Initially built in C++, Cl0p utilizes PowerShell for lateral movement, C# for specialized tools like LEMURLOOT, and JavaScript for web shell components

Key Features & Technical Details

Cl0p's ransomware exhibits technical capabilities with strong encryption standards, secure exfiltration methods, and well-structured communication protocols. The group applies AES-256 and RSA encryption to secure files against unauthorized decryption, while exfiltrated data supports a quadruple extortion strategy with exposure threats on its Tor-based portal, CL0P^_-LEAKS.

FEATURE

DETAILS

Unique Ransomware Features

Hybrid encryption combining AES-256 and RSA algorithms; appends extensions such as ".CI_0P" and ".clop" to encrypted files. Cross-platform variants enable targeting across Windows and Linux environments

Monetization Strategies

Quadruple extortion model: data encryption, data theft, public exposure threats, and direct victim/partner outreach. Ransom demands variable based on organization size with trend toward lower demands in data-theft-only attacks

Cryptographic Signatures

Employs AES-256 with RSA key exchange for Windows variants; flawed RC4 implementation in Linux variants enabling free decryption

Malware Signatures

LEMURLOOT C# web shell for MOVEit Transfer, DEWMODE PHP web shell for Accellion FTA, mutex string )(%QU#jimf0932ijrkpo32jr3lfwe

Communication Style

Conducts secure negotiations on Tor-based portal using unique victim codes. Direct executive outreach and business partner contact for pressure escalation

Activities

Which Industries Are Most Vulnerable to Cl0p?

The group's influence extends across critical sectors including supply chain/logistics (20% above industry average), healthcare, financial services, manufacturing, and education. These are areas where data sensitivity and uninterrupted operations are crucial. The group demonstrates strong geographic preference for North American organizations significantly above industry averages.

HAL Most Recent Attacks

Modus Operandi

Cl0p employs a structured multi-phase approach to achieve maximum disruption and financial gain. Their TTPs (tactics, techniques, and procedures) are designed to exploit supply chain vulnerabilities and evade detection. The group's campaigns begin with zero-day exploitation of file transfer platforms, followed by web shell deployment for persistent access. Cl0p executes PowerShell-based reconnaissance and deploys tools like SDBot and TinyMet for command execution. The operation culminates in mass data exfiltration before optional encryption deployment.

Details

Zero-day vulnerabilities in file transfer platforms (CVE-2023-34362, CVE-2024-50623, CVE-2023-0669), large-volume spear-phishing campaigns targeting organizational employees

Details

Truebot for sensitive data collection and reconnaissance, screen capture capabilities

Details

SDBot backdoor, TinyMet for reverse shell establishment, FlawedGrace deployment

Details

Truebot for shell code loading and evasion, indicator removal and trace deletion post-execution

Details

Active Directory compromise techniques

Details

C2 servers for TinyMet reverse shells, extensive infrastructure documented in CISA Advisory AA23-158A

Details

SMB/Windows Admin Shares exploitation, Cobalt Strike beacons for network traversal

Details

Data exfiltration via command and control channels before encryption

Details

LEMURLOOT web shell (MOVEit), DEWMODE web shell (Accellion) for sustained access

Details

Mass victimization through supply chain attacks, focus on data sensitivity and operational disruption

Details

AES-256 with RSA key exchange, appends ".CI_0P" or ".clop" extensions

Details

Quadruple extortion model, Tor-based portal negotiations, direct executive outreach, CL0P^_-LEAKS data leak site

Details

Indicator removal, trace deletion to avoid detection

Indicators of Compromise (IOCs)

Key Indicators of Compromise help identify the threat actor's operations within networks, particularly specific file hashes, web shell indicators, and infrastructure patterns tied to the ransomware infrastructure.

INDICATOR

DETAILS

File Hashes

SHA-256: 3a977446ed70b02864ef8cfa3135d8b134c93ef868a4cc0aa5d3c2a74545725b for LEMURLOOT web shell
SHA-256: 0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9 for human2.aspx variant

Web Shell Indicators

LEMURLOOT: human2.aspx and variants with authentication header X-siLock-Comment
DEWMODE: PHP-based web shell targeting Accellion FTA devices

Communication Infrastructure

Email Addresses: unlock@rsv-box[.]com, unlock@support-mult[.]com
C2 Infrastructure: Extensive IP address listings documented in CISA Advisory AA23-158A

Exploits and Vulnerabilities

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

MOVEit Transfer SQL Injection

CVE-2023-34362

10.0

Critical SQL injection vulnerability enabling privilege escalation, database access, and web shell deployment. Exploited for LEMURLOOT installation and mass data exfiltration

Cleo Platform Remote Code Execution

CVE-2024-50623

9.8

Remote code execution vulnerability in Cleo LexiCom, VLTrader, and Harmony products enabling unauthorized access and data theft affecting 300+ organizations

GoAnywhere MFT Vulnerability

CVE-2023-0669

7.2

Zero-day vulnerability in GoAnywhere MFT platform enabling rapid mass exploitation of 130 victims over 10 days

Accellion FTA Vulnerability

CVE-2021-27101

9.8

Critical vulnerability in Accellion File Transfer Appliance enabling DEWMODE web shell deployment and data exfiltration