Skip to main content

Operator dossier

clop (also tracked as Cl0p) is a ransomware operator currently active on public leak sites. Darkfield has indexed 1,254 public victims claimed by this operator between March 13, 2020 and May 1, 2026. Clop (also stylized as "Cl0p") is a financially motivated ransomware group and cybercriminal enterprise that emerged in early 2020 as an evolution of the earlier CryptoMix ransomware family, operating primarily for monetary extortion against large enterprise targets. The group is widely assessed by Mandiant, CISA, and other reputable researchers to have ties to Russian-speaking cybercriminal actors, with some researchers linking their operations to the broader FIN11 threat cluster; they operate a Ransomware-as-a-Service (RaaS) model while also conducting direct intrusion operations. Clop is particularly distinguished for its aggressive exploitation of zero-day and n-day vulnerabilities in managed file transfer (MFT) and enterprise software platforms as primary initial access vectors, most notably the exploitation of Accellion FTA (2020-2021), Fortra GoAnywhere MFT (CVE-2023-0669), and the MOVEit Transfer vulnerability (CVE-2023-34362) in 2023, and consistently employs double extortion tactics — exfiltrating sensitive data prior to or in lieu of encryption and threatening public disclosure on their dedicated leak site to coerce payment. Clop has been responsible for some of the most impactful ransomware campaigns on record, with their 2023 MOVEit exploitation campaign alone affecting over 1,000 organizations globally and impacting entities including Shell, the U.S. Department of Energy, British Airways, and numerous U.S. federal agencies, with the broader campaign representing one of the largest mass-exploitation events in ransomware history; Ukrainian law enforcement arrested six individuals linked to Clop operations in June 2021, though the group's core leadership is assessed to remain outside of effective law enforcement jurisdiction. As of the most recent publicly available intelligence, Clop remains active, continuing to leverage vulnerability exploitation campaigns against enterprise file transfer solutions and maintaining a victim count exceeding 1,250 known organizations, with consistent targeting concentrated in the United States, Canada, United Kingdom, Australia, and Germany across technology, business services, manufacturing, and consumer services sectors.

Most-targeted sectors

Most-affected countries

Recent disclosures by clop

Most recent 150 of 1,254 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for clop

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

clop

aka Cl0p · 1,254 victims indexed · first seen 6 years ago · last activity 2 months ago

1,254
Victims indexed
#10 of 364 tracked operators
6y 2m
Active period
Mar 2020 → May 2026
30
Countries hit
top US · 432

At a glance

Status
active
Aliases
Cl0p
First seen
6 years ago
Last activity
2 months ago
Onion sites
3 known endpoints
Primary sector
Technology · 213 hits

About

Clop (also stylized as "Cl0p") is a financially motivated ransomware group and cybercriminal enterprise that emerged in early 2020 as an evolution of the earlier CryptoMix ransomware family, operating primarily for monetary extortion against large enterprise targets. The group is widely assessed by Mandiant, CISA, and other reputable researchers to have ties to Russian-speaking cybercriminal actors, with some researchers linking their operations to the broader FIN11 threat cluster; they operate a Ransomware-as-a-Service (RaaS) model while also conducting direct intrusion operations. Clop is particularly distinguished for its aggressive exploitation of zero-day and n-day vulnerabilities in managed file transfer (MFT) and enterprise software platforms as primary initial access vectors, most notably the exploitation of Accellion FTA (2020-2021), Fortra GoAnywhere MFT (CVE-2023-0669), and the MOVEit Transfer vulnerability (CVE-2023-34362) in 2023, and consistently employs double extortion tactics — exfiltrating sensitive data prior to or in lieu of encryption and threatening public disclosure on their dedicated leak site to coerce payment. Clop has been responsible for some of the most impactful ransomware campaigns on record, with their 2023 MOVEit exploitation campaign alone affecting over 1,000 organizations globally and impacting entities including Shell, the U.S. Department of Energy, British Airways, and numerous U.S. federal agencies, with the broader campaign representing one of the largest mass-exploitation events in ransomware history; Ukrainian law enforcement arrested six individuals linked to Clop operations in June 2021, though the group's core leadership is assessed to remain outside of effective law enforcement jurisdiction. As of the most recent publicly available intelligence, Clop remains active, continuing to leverage vulnerability exploitation campaigns against enterprise file transfer solutions and maintaining a victim count exceeding 1,250 known organizations, with consistent targeting concentrated in the United States, Canada, United Kingdom, Australia, and Germany across technology, business services, manufacturing, and consumer services sectors.

References

75 links

External sources curated by the MISP threat-intel community.

Timeline

24 months
2023-11-01T00:00:00+00:00 · 62023-12-01T00:00:00+00:00 · 12024-01-01T00:00:00+00:00 · 22024-02-01T00:00:00+00:00 · 32024-03-01T00:00:00+00:00 · 42024-05-01T00:00:00+00:00 · 72024-06-01T00:00:00+00:00 · 22024-07-01T00:00:00+00:00 · 12024-09-01T00:00:00+00:00 · 12024-10-01T00:00:00+00:00 · 52024-12-01T00:00:00+00:00 · 682025-01-01T00:00:00+00:00 · 602025-02-01T00:00:00+00:00 · 3352025-03-01T00:00:00+00:00 · 72025-04-01T00:00:00+00:00 · 12025-05-01T00:00:00+00:00 · 12025-07-01T00:00:00+00:00 · 22025-10-01T00:00:00+00:00 · 132025-11-01T00:00:00+00:00 · 982025-12-01T00:00:00+00:00 · 12026-01-01T00:00:00+00:00 · 462026-02-01T00:00:00+00:00 · 792026-03-01T00:00:00+00:00 · 22026-05-01T00:00:00+00:00 · 2
2023-11-01T00:00:00+00:002026-05-01T00:00:00+00:00

Top countries

🇺🇸 United States
432
🇨🇦 Canada
54
🇬🇧 United Kingdom
26
🇦🇺 Australia
24
🇩🇪 Germany
23
🇫🇷 France
16
🇮🇳 India
15
🇯🇵 Japan
15

Top sectors

Technology
213
Business Services
190
Consumer Services
159
Manufacturing
142
Transportation/Logistics
93
Financial Services
84
Healthcare
72
Education
44

MITRE ATT&CK

38 techniques · 11 tactics

Tactics

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationImpact

Techniques

  • T1190Exploit Public-Facing Application
  • T1566.001Phishing: Spearphishing Attachment
  • T1566.002Phishing: Spearphishing Link
  • T1078Valid Accounts
  • T1059.001Command and Scripting Interpreter: PowerShell
  • T1059.003Command and Scripting Interpreter: Windows Command Shell
  • T1059.005Command and Scripting Interpreter: Visual Basic
  • T1204.002User Execution: Malicious File
  • T1047Windows Management Instrumentation
  • T1543.003Create or Modify System Process: Windows Service
  • T1055Process Injection
  • T1548.002Abuse Elevation Control Mechanism: Bypass User Account Control
  • T1562.001Impair Defenses: Disable or Modify Tools
  • T1562.009Impair Defenses: Safe Mode Boot
  • T1070.001Indicator Removal: Clear Windows Event Logs
  • T1027Obfuscated Files or Information
  • T1036Masquerading
  • T1112Modify Registry
  • T1003.001OS Credential Dumping: LSASS Memory
  • T1110Brute Force
  • T1057Process Discovery
  • T1082System Information Discovery
  • T1083File and Directory Discovery
  • T1135Network Share Discovery
  • T1069Permission Groups Discovery
  • T1021.001Remote Services: Remote Desktop Protocol
  • T1021.002Remote Services: SMB/Windows Admin Shares
  • T1080Taint Shared Content
  • T1039Data from Network Shared Drive
  • T1074.001Data Staged: Local Data Staging
  • T1005Data from Local System
  • T1048Exfiltration Over Alternative Protocol
  • T1567Exfiltration Over Web Service
  • T1486Data Encrypted for Impact
  • T1490Inhibit System Recovery
  • T1489Service Stop
  • T1657Financial Theft
  • T1491.002Defacement: External Defacement

Detection · YARA rules

1 rule
  • clop_ransom_note

    YARA rule from ATR/Trellix: ransomware/RANSOM_ClopRansomNote.yar

    source: ATR/Trellix

Recent victims

Loading…

Onion infrastructure

3 known
  • http://ekbgzchl6x2ias37.onion
  • http://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion
  • http://toznnag5o3ambca56s2yacteu7q7x2avrfherzmz4nmujrjuib4iusad.onion

Source

Updated 2 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time clop posts a victim.

Add clop to your watchlist — Pro pings you within 5 minutes of any new clop leak-site post, Telegram callout, or affiliate-rebrand inference.