Clop (also stylized as Cl0p) is a notorious Russian-speaking cybercriminal group specializing in ransomware-as-a-service (RaaS) operations.
Formed in early 2019 as a variant of the CryptoMix ransomware family, the group deploys malware that encrypts victims’ files—typically appending a “.clop” extension—and demands ransom payments, often in Bitcoin, for decryption keys. What sets Clop apart is its evolution into a “multilevel extortion” model, commonly known as double extortion: in addition to encrypting data, the group exfiltrates sensitive information beforehand and threatens to leak it publicly on their dark web site (Cl0p^_-Leaks) if demands aren’t met. This tactic has allowed them to extort over $500 million globally, targeting sectors like healthcare, education, finance, manufacturing, logistics, and government entities while avoiding attacks on former Soviet states or systems primarily using Russian language.
Origins and Operations
• Roots: Clop originated from the TA505 cybercrime syndicate and operates as an RaaS, meaning affiliates distribute the malware in exchange for a cut of profits. It uses digitally signed binaries to evade antivirus detection.
• Infection Vectors: Common entry points include phishing emails with malicious HTML attachments or macro-enabled documents that deploy loaders (e.g., Get2), leading to tools like SDBOT, FlawedAmmyy RAT, or Cobalt Strike for reconnaissance, lateral movement, and data theft. The group frequently exploits zero-day vulnerabilities in file transfer software, such as MOVEit Transfer (CVE-2023-34362) and GoAnywhere MFT (CVE-2023-0669).
• Ransom Process: After infection, a ransom note appears, detailing payment instructions. Demands vary but can reach tens of millions, with negotiations conducted via email or Telegram. Clop often skips traditional encryption in favor of “encryption-less ransomware,” relying solely on data leak threats for leverage.
Notable Attacks
• 2019: Debuted with an attack on Maastricht University in the Netherlands, encrypting nearly all Windows systems and securing a €200,000 ransom (partially recovered by authorities).
• 2020: Breached Accellion’s File Transfer Appliance (FTA) via zero-days, stealing data from over 100 organizations (e.g., Kroger, Singtel, Reserve Bank of New Zealand) without deploying ransomware.
• 2023: Major campaigns exploited MOVEit and GoAnywhere flaws, hitting high-profile targets like British Airways, BBC, Shell, Estee Lauder, and the U.S. Department of Education. These netted an estimated $75–100 million by mid-year, with attacks timed for holidays or low-staff periods to maximize disruption.
• 2025: In a recent escalation, Clop targeted Oracle E-Business Suite customers starting in July, exploiting a zero-day vulnerability (CVE-2025-61882) chained with four other flaws for remote code execution. This fileless malware campaign impacted dozens of organizations (primarily in the U.S.), with extortion emails sent on September 29 demanding up to $50 million. Oracle patched related issues in July, but early exploitation attempts predated the update.
Impact and Trends
Clop has driven global ransomware trends, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlighting its role in advanced malware distribution. Attacks have surged in non-IT sectors like distribution and manufacturing, often using malware like TrueBot for initial access. The group claims to self-regulate by deleting data from sensitive targets (e.g., military or children’s hospitals) post-exfiltration, though this is unverified.
Mitigation Tips
To defend against Clop:
• Patch vulnerabilities promptly, especially in third-party file transfer tools.
• Implement multi-factor authentication (MFA), network segmentation, and endpoint detection/response (EDR) tools.
• Train staff on phishing recognition and maintain offline backups.
• Monitor for indicators like unusual outbound data transfers or traffic to known Clop infrastructure.
For the latest threat intelligence, refer to resources from CISA or cybersecurity firms like SentinelOne and Mandiant.