Origins and Evolution
Cl0p (stylised as “Cl0p” in the group’s own communications, also written as “CLOP”) emerged in early 2019 as a rebrand of the CryptoMix ransomware strain. Unlike most ransomware operations that evolved from commodity crime to targeted enterprise attacks, Cl0p’s criminal operators — assessed to be based in Russia and Ukraine — were sophisticated from the outset, deploying the ransomware through an established initial access broker relationship with the TA505/FIN11 threat group, which had been active in financial cybercrime since at least 2014.
The defining shift in Cl0p’s operational model came in 2021, when the group pioneered what would become its signature methodology: identifying zero-day vulnerabilities in widely deployed enterprise software platforms and exploiting them at mass scale to harvest data from hundreds of organisations simultaneously, then extorting them all at once. This “one-to-many” exploitation model is fundamentally different from the per-organisation RaaS affiliate model used by most ransomware groups, and it has proven extraordinarily profitable.
Technical Profile and TTPs
The Mass Exploitation Playbook
Cl0p’s operational approach follows a consistent pattern that has repeated across multiple major campaigns:
-
Zero-day research or acquisition: Identify a high-value vulnerability in widely deployed enterprise software. Cl0p appears to either conduct original vulnerability research or purchase zero-days from brokers with specific instructions to focus on file transfer and business application platforms.
-
Silent pre-patch exploitation: Exploit the vulnerability at scale before the vendor is aware or before a patch is available. The Oracle EBS campaign (CVE-2025-61882) was exploited for at least two months before the patch shipped.
-
Data exfiltration only, no encryption: In most campaigns since 2021, Cl0p has not deployed file-encrypting ransomware at victim organisations. Instead, they exfiltrate sensitive data (employee records, customer PII, financial data, intellectual property) and threaten to publish it on their leak site unless a ransom is paid.
-
Mass extortion notification: Victims are notified by email — sometimes using executive email addresses obtained from the breach — with a deadline to pay. Organisations that don’t pay within the deadline have their data published on Cl0p’s darknet leak site.
Lateral Movement and Persistence
In campaigns where Cl0p has deployed ransomware (earlier operations and in some healthcare sector targeting), the group uses:
- Cobalt Strike beacons for C2 and lateral movement
- DEWMODE: a custom PHP webshell deployed to compromised web servers
- TRUEBOT: downloader malware used to establish initial foothold and deploy additional tools
- FlawedAmmyy / FlawedGrace RAT: remote access trojans associated with the TA505 connection
- SDBot: IRC-based backdoor used for persistence across network segments
For data exfiltration, Cl0p uses secure transfer utilities (including legitimate products like WinSCP, rclone, and MEGAsync) to stage and transfer compressed archives to attacker infrastructure or cloud storage.
Major Campaign History
Accellion FTA (2020-2021)
Cl0p exploited four zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA), breaching over 100 organisations including Singtel, Reserve Bank of New Zealand, Shell, the University of California, and dozens of law firms. This campaign established the mass-exploitation-for-extortion model.
GoAnywhere MFT (2023)
CVE-2023-0669, a zero-day in Fortra’s GoAnywhere managed file transfer software, was exploited by Cl0p to breach over 130 organisations in approximately 10 days. Victims included Procter & Gamble, Virgin Red, Hitachi Energy, and UK pension provider Capita. Cl0p published the GoAnywhere zero-day details on its darknet site only after exploitation was underway — a deliberate tactic to prevent rapid patching.
MOVEit Transfer (2023)
The most impactful Cl0p campaign to date exploited CVE-2023-34362, a SQL injection zero-day in Progress Software’s MOVEit Transfer platform. The breach affected an estimated 2,500+ organisations and exposed data belonging to over 90 million individuals. Notable victims included UK payroll provider Zellis (affecting British Airways, BBC, and Boots employees), the US Department of Energy, Shell, and Sony. The UK ICO received breach notifications from over 100 UK organisations related to the MOVEit campaign.
Cleo MFT (2024)
Cl0p returned to the managed file transfer sector with CVE-2024-50623 in Cleo’s Harmony, VLTrader, and LexiCom products. Multiple exploitation waves targeted logistics, supply chain, and retail organisations. The campaign demonstrated Cl0p’s pattern of returning to the same software category repeatedly as organisations in similar sectors share common platforms.
Oracle E-Business Suite (2025-2026)
CVE-2025-61882 (CVSS 9.8), an unauthenticated RCE in Oracle E-Business Suite’s BI Publisher Integration component, was exploited by Cl0p as a zero-day for at least two months before Oracle released patches. Cl0p named 29 victims on its leak site by early 2026, including Harvard University, American Airlines subsidiary Envoy Air, The Washington Post, Schneider Electric, Michelin, Canon, Mazda, and Broadcom. Oracle itself briefly appeared on Cl0p’s leak site. The campaign is ongoing, with ransom demands continuing from organisations breached months prior.
Economics and Revenue
Cl0p’s “one-to-many” model generates different economics than the per-organisation affiliate model. A single zero-day exploitation campaign — costing significant investment in vulnerability research and operational infrastructure — yields hundreds of simultaneous ransom opportunities. Even with a low payment rate (most publicly known organisations have declined to pay), the volume produces substantial aggregate revenue.
Security researchers estimate Cl0p collected approximately $100 million from the MOVEit campaign alone, and cumulative revenues since 2021 are estimated at $500 million or more, making the group one of the most financially successful ransomware operations ever documented.
Unlike RaaS models where operators and affiliates split revenue, Cl0p appears to operate as a closed group with consistent personnel — revenue is not distributed to external affiliates.
Victim Sectors
Cl0p’s targeting is largely opportunistic in the sense that it follows the software deployment patterns of the platforms it exploits, rather than selecting individual sectors. However, the platforms Cl0p has chosen to target — file transfer, ERP, business application platforms — are disproportionately deployed in specific sectors:
- Finance and professional services: MOVEit and GoAnywhere are heavily used in accounting, legal, and financial services for secure file exchange with clients and regulators
- Healthcare: Regulated data exchange requirements drive adoption of managed file transfer platforms in healthcare systems
- Manufacturing and industrials: Oracle EBS is a standard ERP platform across manufacturing, with Cl0p’s 2025-2026 campaign hitting Schneider Electric, Emerson, and multiple industrial conglomerates
- Education: Universities use both file transfer platforms and Oracle EBS; the GoAnywhere and Oracle EBS campaigns both included multiple university victims
Defensive Implications
Cl0p’s model exposes a structural weakness in enterprise security: organisations cannot patch vulnerabilities that haven’t been disclosed. The zero-day window — the period between Cl0p’s exploitation and vendor patch availability — is where all the damage happens.
Controls that reduce exposure during this window:
- Network segmentation: Managed file transfer and ERP platforms should not have direct internet exposure. Place MFT platforms behind WAF/application proxies that can be configured to block anomalous request patterns.
- Data minimisation: Cl0p exfiltrates what’s available. Reduce the volume of sensitive data stored on or transiting through MFT platforms to the operational minimum.
- Monitoring for bulk data access: Anomalous volumes of file access or download activity from MFT platforms is often detectable even when the initial vulnerability is unknown.
- Vendor security programme monitoring: Subscribe to security notifications from any enterprise MFT, ERP, or business application vendor. Cl0p specifically targets this software category; when a vendor announces emergency patches, treat them as urgent regardless of current exploitation status.
- Incident response preparation: The extortion element of Cl0p attacks often arrives weeks or months after the initial exfiltration. Organisations that discover a breach via Cl0p’s extortion demand need a rapid response capability to assess scope, contain exposure, and manage the regulatory notification timeline simultaneously.