Cl0p

Background

Cl0p (often stylized as Cl0p or CLOP) is a ransomware operation closely linked to the threat actor group tracked as TA505 (also known as FIN11). TA505 has been active since at least 2014 as a financially motivated cybercriminal group, initially known for massive spam campaigns distributing banking trojans like Dridex and the Locky ransomware. The group pivoted to operating the Cl0p ransomware starting in 2019, building one of the most impactful extortion operations in cybercrime history.

What sets Cl0p apart from most ransomware operations is their strategic focus on mass exploitation of zero-day vulnerabilities in enterprise file transfer and managed file transfer (MFT) appliances. Rather than the typical ransomware playbook of breaching individual organizations one by one, Cl0p identifies critical zero-day vulnerabilities in widely deployed enterprise software and exploits them en masse, compromising hundreds of organizations simultaneously in coordinated campaigns.

This approach proved devastatingly effective. Through three major zero-day exploitation campaigns targeting Accellion FTA (2020-2021), GoAnywhere MFT (2023), and MOVEit Transfer (2023), Cl0p compromised over 2,500 organizations and exposed the personal data of tens of millions of individuals. The MOVEit campaign alone is estimated to have affected over 2,000 organizations. In June 2023, Ukrainian police arrested several Cl0p-linked operators, but the core leadership continued operations from Russia.

Notable Campaigns

MOVEit Transfer Mass Exploitation (May-June 2023): Cl0p's most devastating campaign exploited a zero-day SQL injection vulnerability (CVE-2023-34362) in Progress Software's MOVEit Transfer, a widely used managed file transfer solution. The group compromised over 2,000 organizations including Shell, British Airways, the BBC, Ernst & Young, the U.S. Department of Energy, and numerous state governments. The campaign exposed personal data of an estimated 65-90 million individuals. Cl0p used a custom web shell called LEMURLOOT to exfiltrate data before the vulnerability was patched.

GoAnywhere MFT Zero-Day (January-February 2023): Cl0p exploited CVE-2023-0669, a remote code execution vulnerability in Fortra's GoAnywhere MFT solution. The group claimed to have compromised over 130 organizations in approximately 10 days. Notable victims included Hitachi Energy, Hatch Bank, Rubrik, and the City of Toronto. This campaign demonstrated Cl0p's refined mass exploitation methodology.

Accellion FTA Exploitation (December 2020 - January 2021): Cl0p exploited multiple zero-day vulnerabilities (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104) in the legacy Accellion File Transfer Appliance. Using a custom web shell called DEWMODE, the group exfiltrated data from approximately 100 organizations including Qualys, Shell, Jones Day, Kroger, and the University of California system. This was Cl0p's first major mass-exploitation campaign and established the template for future operations.

South Korean Targets (2019-2020): Early Cl0p ransomware campaigns targeted South Korean organizations including E-Land Group, a major retail conglomerate. The attack on E-Land forced the temporary closure of 23 of 50 NC Department Store and NewCore Outlet locations. These campaigns used traditional ransomware deployment methods before Cl0p pivoted to mass exploitation.

Cleo File Transfer Exploitation (Late 2024): Continuing their pattern, Cl0p exploited zero-day vulnerabilities in Cleo's Harmony, VLTrader, and LexiCom file transfer products (CVE-2024-50623, CVE-2024-55956), compromising dozens of organizations. This campaign confirmed Cl0p's ongoing commitment to the mass MFT exploitation playbook.

Tactics, Techniques & Procedures

Cl0p's modern operations center on identifying and exploiting zero-day vulnerabilities in enterprise file transfer software. The group conducts extensive pre-exploitation research to identify widely deployed products, develop working exploits, and prepare infrastructure for mass data exfiltration. Exploitation campaigns are executed with military precision, often compromising hundreds of targets within days of first exploitation.

Once they exploit a vulnerability, Cl0p rapidly deploys custom web shells (DEWMODE for Accellion, LEMURLOOT for MOVEit) that are purpose-built for each target platform. These web shells enable automated data discovery and exfiltration at scale. Notably, in many of their mass exploitation campaigns, Cl0p does not deploy ransomware at all. Instead, they rely purely on data theft and extortion, threatening to publish stolen data on their leak site if victims do not pay.

In their earlier and more traditional ransomware campaigns, Cl0p used the full spectrum of post-exploitation techniques: deploying TrueBot and SDBBot for initial access, using Cobalt Strike for command and control, harvesting credentials with Mimikatz, and deploying the Cl0p ransomware payload across compromised networks. The group also uses the FlawedAmmyy RAT for persistent remote access.

Tools & Malware

• Cl0p Ransomware: The ransomware payload used in traditional deployment campaigns. Appends .Cl0p extension to encrypted files and drops ClopReadMe.txt ransom notes. Capable of targeting Windows and Linux environments.
• LEMURLOOT: A custom web shell written in C# deployed during the MOVEit exploitation campaign. Designed specifically to interact with MOVEit Transfer's database and exfiltrate files.
• DEWMODE: A custom PHP web shell deployed during the Accellion FTA campaign. Extracted files from the Accellion appliance and staged them for download.
• TrueBot (Silence.Downloader): A first-stage downloader used to deliver Cl0p ransomware and other payloads. Distributed via malicious emails and the Raspberry Robin worm.
• FlawedAmmyy: A remote access trojan based on leaked Ammyy Admin source code, providing full remote control capabilities.
• SDBBot: A backdoor used for persistent access, capable of providing remote desktop access and command execution.
• Get2: A downloader used by TA505 to deliver various second-stage payloads including SDBBot and FlawedAmmyy.
• Cobalt Strike: Used in traditional ransomware campaigns for post-exploitation and lateral movement.

Indicators & Detection

Priority detection for Cl0p should focus on monitoring managed file transfer and file-sharing appliances for exploitation. Maintain a complete inventory of all internet-facing file transfer solutions and apply vendor patches within hours of release for critical vulnerabilities. Monitor web server logs on MFT appliances for unexpected web shell uploads, unusual API calls, and anomalous file access patterns.

For the MOVEit-specific campaign, monitor IIS logs for requests to unusual ASPX files, unexpected SQL queries against the MOVEit database, and large outbound data transfers from the MOVEit server. For Accellion, monitor for unexpected PHP files in the Accellion document root. Generically, any managed file transfer solution should have robust file integrity monitoring and outbound traffic analysis.

Network-level detection should look for large data exfiltration from file transfer servers, connections to known Cl0p infrastructure (frequently refreshed, use threat intelligence feeds), and unusual patterns of access to file transfer appliances. Endpoint monitoring for traditional Cl0p campaigns should focus on TrueBot/SDBBot delivery mechanisms, FlawedAmmyy RAT indicators, and the Cl0p ransomware itself which creates a mutex and disables Windows services before encryption. Ensure file transfer systems are segmented from the broader network and monitored as high-value assets.