'Ransomware in focus' is our series unravelling the complexities of ransomware groups throughout the ecosystem. By detailing their business strategies, target victims, and the tactics, techniques, and procedures (TTPs) behind their operations, we hope to arm businesses with essential knowledge required to confront and overcome the challenges posed by ransomware. In this instalment, James Tytler examines the operations of Cl0p.
Background
Cl0p is a sophisticated cybercriminal group which was first detected in February 2019 and has operated a dark web leak site since December 2020. As such Cl0p is one of the longest continuously running cyber extortion groups operating under the same name. They have largely shifted away from encrypting data but are still often described as a ‘ransomware’ group. Cl0p distinguishes itself from other extortion operations by strategically targeting high-value organizations and prioritizing vulnerabilities in critical services, enabling large-scale supply chain attacks.
Motivations
Cl0p is a financially-motivated group that opportunistically targets all sectors. They seem to exfiltrate sensitive information from a target and monetise through extortion. Cl0p is currently one of the most active groups in terms of the number of victims claimed on its dark web leak site.
Business model
Since 2021, Cl0p has largely shifted its operational model towards data- extortion only, focusing on leveraging zero-day software vulnerabilities in file transfer software which allow them to compromise numerous companies at once and hold their data to ransom en-masse. Cl0p does have a ransomware encryption binary and occasionally encrypts data for impact.
Cl0p has been historically described as a Ransomware-as-a-Service group, and it does appear to have operated in this manner. There is no recent public information about whether they currently operate an open affiliate model.
History and group affiliations
The developers and operators of Cl0p ransomware appear to have been active in the ransomware and eCrime space for over a decade, making them one of the most established and experienced groups. The original Cl0p ransomware strain is a variant of the Crpytomix malware, which was first detected in 2016. Cl0p ransomware has been deployed by the cyber criminal activity groups tracked separately by security researchers as Lace Tempest/DEV-0950, TA505 and FIN11, with activity going back to at least 2014.
Cl0p does not have any clear affiliations with other established RaaS groups.
Victimology
Since their emergence in February 2019, Cl0p has targeted victims in a wide range of sectors, but the vast majority of victims are United States businesses. Since 2023 they have sporadically posted large numbers of victims following their exploitation of software vulnerabilities. Long periods of inactivity have been observed between threat campaigns.
2,620
The approximate number of victims impacted by the MoveIT attack.
Proportion of victims posted on leak site by Country since December 2020
Figure 2. Source: eCrime
Notable attacks
- In December 2024, Cl0p compromised dozens of corporate networks via the exploitation of two software vulnerabilities in Cleo’s Harmony, VLTrader, and LexiCom file transfer software.
- In June 2024, Cl0p exploited a zero-day software vulnerability on MOVEit Transfer and MOVEit Cloud software to compromise hundreds of corporate networks
- In February 2023, Cl0p exploited a software vulnerability on the GoAnywhere MFT secure file transfer tool to allegedly steal data from 130 organizations.
Number of victims posted to leak site per month since January 2023
Figure 2. Source: ecrime.ch
*Data based on victims posted to the actor’s leak site, and thus unlikely to be comprehensive of all victims.
Initial access
Cl0p has recently gained access to sensitive data on corporate networks by exploiting SQL injection or authentication bypass vulnerabilities in various file transfer software applications (Cleo: CVE-2024-50623, CVE-2024-50623; MoveIT: CVE-2023-34362; GoAnywhere: CVE-2024-0204; SysAid: CVE-2023-47246). These vulnerabilities were exploited en-masse as zero days. Cl0p has also historically gained access to corporate networks via large-scale spear-phishing campaigns with malware droppers embedded in attached documents.
Propagation
In recent campaigns, Cl0p has remained singularly focused on mass data exfiltration and has not been observed moving laterally within networks, establishing persistence, or deploying ransomware. When seeking to establish a more permanent foothold, Cl0p does also exhibit common TTPs for ransomware operators. They often move around victims’ networks using remote desktop protocol, and S-RM has observed Cl0p utilising a cracked version of the post-exploitation framework Cobalt Strike to establish command and control.
Encryption
Cl0p does have a ransomware executable and occasionally encrypts data as an extortion tactic. However, many recent attacks have only involved data extortion without encryption.
Extortion
Cl0p demands ransom payments in cryptocurrency and threatens to publish exfiltrated data on their leak site if payment is not received. Initial demands vary significantly based on the victim’s size and perceived willingness to pay. Notably, the group has lowered its average ransom demands in attacks involving data exfiltration alone, suggesting a strategic shift toward prioritizing volume over individual payout size.
To pressure victims into payment, Cl0p has posted samples of stolen data on its leak site and imposed strict negotiation deadlines to threaten full exposure. In some cases, the group has directly contacted customers or business partners of the victim organization to disclose the breach—further escalating reputational pressure and coercing the victim to engage.
-1-1.jpeg?width=121&height=121&name=MicrosoftTeams-image%20(11)-1-1.jpeg)
