Skip to main content

Operator dossier

Cl0p (also tracked as Clop, TA505, FIN11) is a ransomware operator currently active on public leak sites. Darkfield has indexed 2,744 public victims claimed by this operator between March 13, 2020 and May 1, 2026. The Cl0p (also known as Clop) ransomware group is a financially motivated cybercriminal organization that emerged in March 2020, operating as part of the broader TA505/FIN11 threat landscape and conducting high-impact ransomware campaigns targeting organizations globally. The group is believed to operate from Russian-speaking territories and has been linked to the prolific TA505 cybercriminal consortium, functioning as a Ransomware-as-a-Service operation that collaborates with various affiliate groups to maximize their operational reach. Cl0p primarily gains initial access through exploitation of zero-day vulnerabilities in file transfer applications, phishing campaigns, and SQL injection attacks, employing double extortion tactics by exfiltrating sensitive data before deploying their custom ransomware payload, which uses strong encryption algorithms to render victim systems inoperable. The group has been responsible for several high-profile campaigns, most notably their exploitation of zero-day vulnerabilities in MOVEit Transfer software in 2023, which affected hundreds of organizations worldwide including major corporations and government entities, and their previous campaigns targeting Accellion FTA and other file transfer solutions that resulted in the compromise of sensitive data from numerous high-value targets. Cl0p remains active as of 2024, continuing to evolve their tactics and maintain their position as one of the most prolific ransomware groups globally, with over 1,490 documented victims primarily concentrated in the United States, Canada, United Kingdom, Germany, and Australia across technology, manufacturing, transportation, and consumer services sectors.

Most-targeted sectors

Most-affected countries

Recent disclosures by Cl0p

Most recent 150 of 2,744 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Cl0p

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

Cl0p

aka Clop, TA505, FIN11 · 2,744 victims indexed · first seen 6 years ago · last activity 2 months ago

2,744
Victims indexed
#2 of 364 tracked operators
6y 2m
Active period
Mar 2020 → May 2026
30
Countries hit
top United States · 1,671

At a glance

Status
active
Aliases
Clop, TA505, FIN11
First seen
6 years ago
Last activity
2 months ago
Onion sites
4 known endpoints
Primary sector
Technology · 497 hits

About

The Cl0p (also known as Clop) ransomware group is a financially motivated cybercriminal organization that emerged in March 2020, operating as part of the broader TA505/FIN11 threat landscape and conducting high-impact ransomware campaigns targeting organizations globally. The group is believed to operate from Russian-speaking territories and has been linked to the prolific TA505 cybercriminal consortium, functioning as a Ransomware-as-a-Service operation that collaborates with various affiliate groups to maximize their operational reach. Cl0p primarily gains initial access through exploitation of zero-day vulnerabilities in file transfer applications, phishing campaigns, and SQL injection attacks, employing double extortion tactics by exfiltrating sensitive data before deploying their custom ransomware payload, which uses strong encryption algorithms to render victim systems inoperable. The group has been responsible for several high-profile campaigns, most notably their exploitation of zero-day vulnerabilities in MOVEit Transfer software in 2023, which affected hundreds of organizations worldwide including major corporations and government entities, and their previous campaigns targeting Accellion FTA and other file transfer solutions that resulted in the compromise of sensitive data from numerous high-value targets. Cl0p remains active as of 2024, continuing to evolve their tactics and maintain their position as one of the most prolific ransomware groups globally, with over 1,490 documented victims primarily concentrated in the United States, Canada, United Kingdom, Germany, and Australia across technology, manufacturing, transportation, and consumer services sectors.

References

75 links

External sources curated by the MISP threat-intel community.

Timeline

24 months
2023-11-01T00:00:00+00:00 · 122023-12-01T00:00:00+00:00 · 22024-01-01T00:00:00+00:00 · 42024-02-01T00:00:00+00:00 · 62024-03-01T00:00:00+00:00 · 82024-05-01T00:00:00+00:00 · 142024-06-01T00:00:00+00:00 · 42024-07-01T00:00:00+00:00 · 22024-09-01T00:00:00+00:00 · 22024-10-01T00:00:00+00:00 · 102024-12-01T00:00:00+00:00 · 1362025-01-01T00:00:00+00:00 · 1202025-02-01T00:00:00+00:00 · 6702025-03-01T00:00:00+00:00 · 142025-04-01T00:00:00+00:00 · 22025-05-01T00:00:00+00:00 · 22025-07-01T00:00:00+00:00 · 42025-10-01T00:00:00+00:00 · 262025-11-01T00:00:00+00:00 · 1962025-12-01T00:00:00+00:00 · 22026-01-01T00:00:00+00:00 · 922026-02-01T00:00:00+00:00 · 1582026-03-01T00:00:00+00:00 · 22026-05-01T00:00:00+00:00 · 2
2023-11-01T00:00:00+00:002026-05-01T00:00:00+00:00

Top countries

🇺🇸 United States
1,671
🇨🇦 Canada
144
🇬🇧 United Kingdom
118
🇩🇪 Germany
100
🇦🇺 Australia
56
🇫🇷 France
42
🇯🇵 Japan
40
🇮🇳 India
37

Top sectors

Technology
497
Manufacturing
234
Business Services
201
Healthcare
190
Financial Services
181
Transportation/Logistics
136
Consumer Services
130
Education
99

MITRE ATT&CK

5 techniques · 5 tactics

Tactics

Initial AccessExecutionPersistenceExfiltrationImpact

Techniques

  • T1190Exploit Public-Facing Application
  • T1059Command and Scripting Interpreter
  • T1505.003Web Shell
  • T1567Exfiltration Over Web Service
  • T1486Data Encrypted for Impact

Indicators of compromise

Known tools

FlawedAmmyySDBbotDEWMODELEMURLOOT

File hashes

  • SHA256 2e4f86b69f0e7e5a6b67e0e6c8d5a8b1c3f7e9d0a2b4c6d8e0f1a3b5c7d9e1f3
    Cl0p ransomware

Domains

  • santat7kpllt6iyvqbr7q4amdv6dzrh6hzcbzc7qlrc7xkzlhcimsqd.onion

Detection · YARA rules

1 rule
  • clop_ransom_note

    YARA rule from ATR/Trellix: ransomware/RANSOM_ClopRansomNote.yar

    source: ATR/Trellix

Recent victims

Loading…

Onion infrastructure

4 known
  • http://ekbgzchl6x2ias37.onion
  • http://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion/
  • http://toznnag5o3ambca56s2yacteu7q7x2avrfherzmz4nmujrjuib4iusad.onion
  • http://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion

Source

Updated 2 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Cl0p posts a victim.

Add Cl0p to your watchlist — Pro pings you within 5 minutes of any new Cl0p leak-site post, Telegram callout, or affiliate-rebrand inference.