Cl0p Ransomware Group

Definition

A Russian-linked cybercriminal group best known for conducting mass exploitation campaigns against enterprise file transfer software vulnerabilities — including MOVEit Transfer, GoAnywhere MFT, and Accellion FTA — affecting thousands of organizations simultaneously through a single vulnerability rather than individual targeted intrusions.

Technical Details

Cl0p (stylized Cl0p, also written CLOP) emerged around 2019 as an offshoot of the TA505 threat actor group. Unlike most ransomware groups that conduct one organization at a time, Cl0p pioneered a 'mass exploitation' business model — discovering or acquiring zero-day vulnerabilities in widely-deployed enterprise software, rapidly exploiting hundreds or thousands of organizations simultaneously, and then extorting them all at once. This approach prioritizes breadth over depth: rather than spending weeks doing hands-on intrusion in one network, the group exploits many organizations in days and exfiltrates data without deploying file-encrypting ransomware in most cases. The technical profile of Cl0p's campaigns demonstrates sophisticated vulnerability research capabilities. The Accellion FTA campaign (2020-2021) exploited four zero-day vulnerabilities in legacy file transfer appliances. The GoAnywhere MFT campaign in early 2023 exploited CVE-2023-0669, a pre-authentication RCE vulnerability, to compromise over 130 organizations within days of exploitation beginning. The MOVEit Transfer campaign in May-June 2023 was the most impactful: the group exploited CVE-2023-34362 (an SQL injection leading to RCE) against internet-facing MOVEit servers, exfiltrating data from an estimated 2,600+ organizations including US federal agencies (Department of Energy, Department of Agriculture), major corporations (Shell, Siemens, Sony), and managed service providers that caused downstream impact to their clients. Cl0p's extortion model differs from traditional ransomware: in the MOVEit campaign, they generally did not encrypt files but instead exfiltrated data and demanded payment under threat of public exposure on their dark web leak site. This data-theft-only model avoids the operational disruption that typically triggers rapid incident response and law enforcement attention, while still creating substantial leverage. The group also exploited the timing of regulatory disclosure requirements — many organizations felt compelled to pay before disclosure deadlines. Cl0p is assessed to operate from Russia or the Commonwealth of Independent States and has historically avoided targeting Russian-language entities — a common characteristic of Russia-tolerated cybercriminal groups. Ukrainian authorities arrested six members in June 2021, but operations continued uninterrupted, suggesting the arrested individuals were not core operators or the group reconstituted.

Practical Usage

Cl0p's mass exploitation model has specific implications for how organizations should prioritize vulnerability management. Traditional risk-based patching that prioritizes based on CVSS score alone is insufficient — organizations must also consider whether a vulnerability exists in internet-facing file transfer infrastructure that could enable mass exfiltration. MOVEit, GoAnywhere, Accellion, and similar managed file transfer (MFT) platforms deserve elevated priority and should be patched within hours of a critical vulnerability disclosure, not days. For security teams assessing whether they were affected by Cl0p's MOVEit campaign, CISA and multiple vendors published detailed indicators of compromise including webshell filenames, specific PowerShell commands used for data enumeration, and the unique SQL injection payload. Organizations running MOVEit Transfer should examine their web logs for the specific URL patterns and POST requests associated with exploitation even if they patched quickly — the exploitation window may have been before patch availability. The Cl0p campaigns also highlight the third-party risk dimension. Many organizations discovered their data was exfiltrated not because they ran MOVEit directly, but because their payroll processor, HR platform, or other SaaS vendor used MOVEit for file transfers with customer data. Third-party risk management programs should specifically inventory which vendors use managed file transfer software for data handling and require notification if those vendors are affected by critical vulnerabilities in that infrastructure.

Examples

• The 2023 MOVEit Transfer campaign affected an estimated 2,620 organizations and over 77 million individuals, including US federal agencies, major corporations, and hundreds of downstream victims through managed service providers.
• Cl0p exploited GoAnywhere MFT (CVE-2023-0669) to breach 130 organizations including Procter & Gamble, Hitachi, and City of Toronto within days, exfiltrating sensitive employee and customer data.
• The Accellion FTA attacks (2020-2021) compromised Bombardier, the Reserve Bank of New Zealand, Stanford University Medical Center, and the Australian Securities and Investments Commission — all through zero-days in the same legacy file transfer appliance.

Related Terms