Cl0p / Clop Ransomware
What is Cl0p / Clop Ransomware?
Cl0p / Clop RansomwareA ransomware and data-extortion crew tracked as TA505 / FIN11 that mass-exploited file transfer zero-days, most notably MOVEit Transfer in 2023.
Cl0p, also written Clop, is a ransomware and data-extortion operation linked to the financially motivated cluster TA505 / FIN11. Active since at least 2019, the group is best known for industrial-scale exploitation of managed file-transfer zero-days: Accellion FTA in 2020 (CVE-2021-27101 et al.), GoAnywhere MFT in 2023 (CVE-2023-0669) and most spectacularly MOVEit Transfer (CVE-2023-34362) in mid-2023, which exposed data from more than 2,500 organizations and over 90 million individuals. Operators emphasize data theft and public extortion via the CL0P^_-LEAKS site, often without deploying ransomware encryption. Victims include US federal agencies, Shell, BBC and British Airways.
● Examples
- 01
Cl0p posts dozens of MOVEit victims on its leak site over several weeks in mid-2023 and threatens to release data unless they negotiate.
- 02
An organization migrates its remaining Accellion FTA workloads to a supported MFT product after Cl0p reuses similar zero-days.
● Frequently asked questions
What is Cl0p / Clop Ransomware?
A ransomware and data-extortion crew tracked as TA505 / FIN11 that mass-exploited file transfer zero-days, most notably MOVEit Transfer in 2023. It belongs to the Malware category of cybersecurity.
What does Cl0p / Clop Ransomware mean?
A ransomware and data-extortion crew tracked as TA505 / FIN11 that mass-exploited file transfer zero-days, most notably MOVEit Transfer in 2023.
How does Cl0p / Clop Ransomware work?
Cl0p, also written Clop, is a ransomware and data-extortion operation linked to the financially motivated cluster TA505 / FIN11. Active since at least 2019, the group is best known for industrial-scale exploitation of managed file-transfer zero-days: Accellion FTA in 2020 (CVE-2021-27101 et al.), GoAnywhere MFT in 2023 (CVE-2023-0669) and most spectacularly MOVEit Transfer (CVE-2023-34362) in mid-2023, which exposed data from more than 2,500 organizations and over 90 million individuals. Operators emphasize data theft and public extortion via the CL0P^_-LEAKS site, often without deploying ransomware encryption. Victims include US federal agencies, Shell, BBC and British Airways.
How do you defend against Cl0p / Clop Ransomware?
Defences for Cl0p / Clop Ransomware typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Cl0p / Clop Ransomware?
Common alternative names include: Cl0p, TA505, FIN11.
● Related terms
- malware№ 900
Ransomware
Malware that encrypts a victim's data or locks systems and demands payment in exchange for restoring access.
- vulnerabilities№ 706
MOVEit Transfer SQLi (CVE-2023-34362)
A SQL injection vulnerability in Progress MOVEit Transfer that allowed Cl0p to steal files from thousands of organizations in 2023.
- attacks№ 1116
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.