Skip to content
Ransomware group LinuxWindows

Clop

Clop, also written Cl0p, is a ransomware and extortion operation active since 2019 and widely associated with the cybercrime clusters FIN11 and TA505; some reporting also links the brand to GRACEFUL SPIDER and Lace Tempest.

Profile source: Mallory opens in a new tab

Clop

Family profile

Clop, also written Cl0p, is a ransomware and extortion operation active since 2019 and widely associated with the cybercrime clusters FIN11 and TA505; some reporting also links the brand to GRACEFUL SPIDER and Lace Tempest. It has targeted organizations across many sectors worldwide, including financial services, manufacturing, retail, transportation, education, telecommunications, energy, automotive, and healthcare. Clop is notable for combining conventional ransomware behavior with large-scale data-theft extortion and for repeatedly exploiting zero-day vulnerabilities in managed file transfer and enterprise software platforms.

Clop has been linked to mass exploitation campaigns against Accellion FTA, GoAnywhere MFT, MOVEit Transfer, SolarWinds Serv-U, Cleo software, and Oracle E-Business Suite. In multiple campaigns, the operation emphasized theft of sensitive data and delayed extortion over immediate encryption, making it one of the more prominent examples of ransomware actors shifting toward pure or primarily exfiltration-based extortion. Victims are commonly pressured through leak-site publication and double-extortion tactics.

On Windows, Clop has demonstrated typical ransomware impact behavior, including encrypting files, deleting shadow copies, and disabling recovery options. Reported defense-evasion features include uninstalling or disabling security products, enumerating security software by process name, modifying the Windows Registry, and geofencing execution by checking keyboard layout and character set to avoid infecting systems configured for Russian or other CIS languages. Clop activity has also been associated with lateral movement using stolen credentials and broader post-compromise operations prior to ransomware deployment.

A Linux ELF variant has also been observed, showing that the operation can target Linux environments in addition to Windows. That variant used similar encryption logic to the Windows branch but appeared less mature and contained implementation flaws that enabled decryption without ransom payment. The existence of both Windows and Linux variants aligns with Clop’s focus on enterprise servers and high-value environments.

Overall, Clop is best characterized as a major ransomware-extortion threat actor and malware family distinguished by opportunistic mass exploitation of high-impact vulnerabilities, strong emphasis on data exfiltration, and broad targeting of enterprise organizations worldwide.

Capabilities

  • Defense Evasion
  • Exfiltration
  • Extortion
  • Lateral Movement
  • Reconnaissance

Ransomware.live

Operational record

View group record ↗

Offsec

  • Cobalt Strike
  • PowerShell Empire
  • TinyMet

Reported operators

Threat actors

8 named in public reporting
FIN11

the Oracle EBS platform has been under sustained, documented attack by the Cl0p ransomware group and suspected FIN11 operators throughout 2025 and into 2026

UNC5936

the Oracle EBS platform has been under sustained, documented attack by the Cl0p ransomware group and suspected FIN11 operators throughout 2025 and into 2026

TA505

Given that the GRACEFUL SPIDER threat group (operating as Cl0p) already demonstrated mass exploitation of a structurally similar Oracle EBS flaw last year... Google Cloud/Mandiant separately confirmed Cl0p ransomware gang involvement in a large scale extortion campaign.

UNC2546

Cl0p Ransomware, aka Cl0p, is a ransomware group that emerged in February 2019 and targeted most industries worldwide, including retail, transportation, education, manufacturing, automotive, energy, financial, telecommunications and even healthcare.

Lace Tempest

Microsoft has linked the Clop ransomware gang to recent attacks exploiting a zero-day vulnerability in the MOVEit Transfer platform to steal data from organizations.

Snakefly

Prior to its patching, attackers linked to the Clop ransomware operation were already exploiting CVE-2023-34362 as a zero-day vulnerability.

FIN7

...observed the group using OpenSSH and Impacket to move laterally and deploy Clop ransomware.

Scattered Spider

The following analytic identifies the execution of CLOP ransomware variants using specific arguments ("runrun" or "temp.dat") to trigger their malicious activities.

Exploited software

Vulnerabilities linked to Clop

37 CVEs
CVE-2025-61882 Unauthenticated RCE in Oracle E-Business Suite Concurrent Processing BI Publisher Integration CVE-2026-46817 Unauthenticated takeover in Oracle E-Business Suite Oracle Payments File Transmission CVE-2024-55956 Unauthenticated Command Injection in Cleo Harmony, VLTrader, and LexiCom Autorun Directory CVE-2023-34362 SQL Injection in Progress MOVEit Transfer CVE-2026-35273 Unauthenticated RCE in Oracle PeopleSoft PeopleTools Updates Environment Management CVE-2021-35211 RCE in SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP CVE-2023-27350 Unauthenticated RCE in PaperCut MF/NG SetupCompleted CVE-2023-27351 Authentication Bypass in PaperCut NG/MF SecurityRequestFilter CVE-2025-61884 Authentication Bypass in Oracle E-Business Suite Oracle Configurator Runtime UI CVE-2024-50623 Unauthenticated unrestricted file upload/download leading to RCE in Cleo Harmony, VLTrader, and LexiCom CVE-2021-27101 SQL Injection in Accellion FTA document_root.html via Host header CVE-2021-27104 OS Command Injection in Accellion FTA admin endpoints CVE-2021-27102 OS Command Execution in Accellion FTA local web service call CVE-2021-27103 SSRF in Accellion FTA wmProgressstat.html CVE-2023-35708 SQL Injection in Progress MOVEit Transfer CVE-2023-35036 SQL Injection in Progress MOVEit Transfer CVE-2020-1472 ZeroLogon CVE-2025-30406 Gladinet CentreStack/Triofox ASP.NET ViewState Deserialization RCE CVE-2025-11371 Unauthenticated Local File Inclusion in Gladinet CentreStack and Triofox CVE-2025-14611 Unauthenticated LFI in Gladinet CentreStack and Triofox via Hardcoded AES Keys CVE-2023-0669 Pre-authentication RCE in Fortra GoAnywhere MFT License Response Servlet CVE-2025-30746 CSRF in Oracle iStore Shopping Cart CVE-2025-50107 Oracle Universal Work Queue Request Handling Improper Access Control Vulnerability CVE-2025-30745 Oracle MES for Process Manufacturing Device Integration improper request handling vulnerability CVE-2022-31199 Netwrix Auditor User Activity Video Recording Remote Code Execution CVE-2023-47246 SysAid On-Prem Path Traversal Leading to Code Execution CVE-2025-50105 Improper Access Control in Oracle E-Business Suite Universal Work Queue Work Provider Administration CVE-2023-36933 Denial of Service in Progress MOVEit Transfer via Unhandled Exception CVE-2023-41266 Path Traversal Authentication Bypass in Qlik Sense Enterprise for Windows CVE-2023-36934 Unauthenticated SQL Injection in Progress MOVEit Transfer CVE-2025-50071 Improper access control in Oracle Applications Framework Web Utilities CVE-2025-30743 Improper access control in Oracle Lease and Finance Management Internal Operations CVE-2025-50090 CSRF in Oracle E-Business Suite Oracle Applications Framework Personalization CVE-2023-41265 ZeroQlik HTTP Request Tunneling in Qlik Sense Enterprise for Windows CVE-2023-36932 Authenticated SQL Injection in Progress MOVEit Transfer CVE-2025-30739 Improper access control in Oracle CRM Technical Foundation Preferences CVE-2025-30744 Oracle Mobile Field Service Multiplatform Sync Errors Unauthorized Data Access/Modification

MITRE ATT&CK

Clop in ATT&CK

59 distinct techniques

Techniques

59 techniques
T1518.001 Security Software Discovery T1112 Modify Registry T1614.001 System Language Discovery T1486 Data Encrypted for Impact T1083 File and Directory Discovery T1140 Deobfuscate/Decode Files or Information T1497 Virtualization/Sandbox Evasion T1070.004 File Deletion T1057 Process Discovery T1059.003 Windows Command Shell T1078 Valid Accounts T1657 Financial Theft T1537 Transfer Data to Cloud Account T1490 Inhibit System Recovery T1489 Service Stop T1074 Data Staged T1566 Phishing T1133 External Remote Services T1485 Data Destruction T1190 Exploit Public-Facing Application T1041 Exfiltration Over C2 Channel T1566.003 Spearphishing via Service T1560 Archive Collected Data T1553.002 Code Signing T1213 Data from Information Repositories T1068 Exploitation for Privilege Escalation T1562.001 Disable or Modify Tools T1562 Impair Defenses T1567 Exfiltration Over Web Service T1529 System Shutdown/Reboot T1548.002 Bypass User Account Control T1195 Supply Chain Compromise T1210 Exploitation of Remote Services T1135 Network Share Discovery T1021.004 SSH T1027.002 Software Packing T1218.007 Msiexec T1497.003 Time Based Checks T1106 Native API T1567.002 Exfiltration to Cloud Storage T1566.001 Phishing: Spear-phishing attachment T1059 Command and scripting interpreter T1204 User execution T1543.003 Create or modify system process: Windows service T1547 Boot or logon autostart execution T1484.001 Domain Policy modification: Group Policy modification T1574 Hijack execution flow T1036.001 Masquerading: invalid code signature T1055.001 Process injection: DLL injection T1070.001 Indicator removal on host: clear Windows event logs T1202 Indirect command execution T1012 Query registry T1018 Remote system discovery T1063 Security software discovery T1082 System information discovery T1021.002 Remote services: SMB/Windows admin shares T1570 Lateral tool transfer T1005 Data from local system T1071 Application Layer Protocol

Reporting

Research mentioning Clop

Jul 8
Teiss News

teiss - News - Deutsche Bank faces new breach claims after ransomware group posts employee data samples

The bank was affected by the 2023 MOVEit file-transfer breach, in which the Cl0p ransomware gang compromised the platform and affected organizations worldwide.

Jun 12
Flareio

Ransomware-as-a-Service: LockBit Alumni Launch Competing Programs as E

The report also notes that the 7.1% apparent year-over-year decline from Q1 2025 is misleading: Q1 2025 was inflated by Cl0p’s mass Cleo exploitation (~390 victims in one burst).

Jun 6
Codeby

Ransomware тренды 2026: EDR killers и detection для SOC

По данным Cognyte, Cl0p провела кампанию с эксплуатацией критической zero-day CVE-2025-61882 ... в Oracle E-Business Suite ... Около 30 организаций были опубликованы на DLS Cl0p с эксфильтрацией сотен гигабайт из Oracle EBS.

May 28
Zeropath

Brief Summary: CVE-2026-46819 - Unauthenticated Data Access in Oracle E-Business Suite Internet Procurement Connector - ZeroPath Blog | ZeroPath

Given that the GRACEFUL SPIDER threat group (operating as Cl0p) already demonstrated mass exploitation of a structurally similar Oracle EBS flaw last year... Google Cloud/Mandiant separately confirmed Cl0p ransomware gang involvement in a large scale extortion campaign.

May 28
Zeropath

Overview of CVE-2026-46820: Oracle E-Business Suite Financials Common Modules Scope Change Vulnerability - ZeroPath Blog | ZeroPath

the Oracle EBS platform has been under sustained, documented attack by the Cl0p ransomware group and suspected FIN11 operators throughout 2025 and into 2026

May 23
Malware News

UK Cybercrime Journal: Inside the Cl0p attack on South Staffs Water - Malware News - Malware Analysis, News and Indicators

On 11 May 2026, the UK Information Commissioner’s Office (ICO) fined South Staffordshire Water £963,900 after the Cl0p ransomware group lurked completely undetected in its network for nearly two years.

May 11
Checkpoint Research

The State of Ransomware - Q1 2026 - Check Point Research

the Q1 2025 numbers were heavily inflated by Cl0p’s Cleo mass-exploitation campaign which contributed approximately 390 victims in a single burst.

May 11
Register Security

ICO fines South Staffordshire £963K over 2022 breach

The UK's data protection watchdog has fined South Staffordshire Water's parent company nearly £1 million over security failings exposed by the Cl0p ransomware attack in 2022. The attack, claimed by Cl0p, was detected in July 2022.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.