Cl0p
Active Since
February 2019
Victims as of January 2024
538
Known Forum Aliases
CL0P
Active Forum Accounts
XSS
Top Targeted Geographies
US, UK, Canada
Cl0p ransomware is known to be used by the cybercriminal enterprise tracked as TA505 and FIN11.
There was a lull in the group’s activity for most of 2022, potentially due to the arrest of six Cl0p associates in Ukraine in June 2021. However, there was a quick resurgence in attacks and 2023 was by far and away the group’s most active year.
Cl0p is notable for its approach of using vulnerabilities in supply chain software to target multiple organizations, announcing them in a batch at a later date. This was a tactic it used to great effect into 2023, with two “mass-hacks” making Cl0p the third most prolific ransomware group of the year by number of listed victims (after LockBit and BlackCat).
In March, Cl0p exploited the vulnerability CVE-2023-0669 in Fortra’s GoAnywhere MFT secure file transfer tool to target more than 130 organizations, listing them in quick succession. Then in June, Cl0p repeated this approach in one of the biggest and most notable cyberattacks of the year, exploiting a zero day vulnerability (CVE-2023-34362) in the Progress Software file transfer software tool, MOVEit.
The group had so many victims from the MOVEit breach that it had to explore new ways of leaking data, including using torrents. While hundreds of companies were listed on its leak site, it is reported that there were in fact more than 1,000 organizations impacted by the MOVIEit attacks. Noteworthy victims included the BBC, British Airways, Emsisoft, U.S. government services contracting company Maximus, and the French government’s unemployment agency, Pôle emploi.
In the aftermath, the U.S. State Department offered a $10 million bounty for information on Cl0p and the group’s activity has plateaued significantly since the listing of all of the MOVEit victims. However, the group’s “mass-hack” tactic may mean it is conducting activity behind the scenes.