🇷🇺 Cl0p¶

Threat-actor battle card · maintained from public sources · last updated 2026-06-24 · also known as Clop, Cl0p^_-, TA505, FIN11, Snakefly, GraceWire/Lace Tempest (Microsoft)

CategoryRansomware-as-a-Service

AttributionRussian-speaking; overlaps with FIN11/TA505 (financially motivated); tracked as Lace Tempest by Microsoft, Snakefly by Symantec

First seen2019-02

StatusActive

Recent victims · last ~9d0

All-time victims1254

Primary targetsManufacturing, Financial services, Retail, Technology, Healthcare, Government

Overview¶

Cl0p (also Cl0p^_-, TA505, FIN11, Snakefly) is a long-running, financially motivated extortion crew active since at least 2019, best known for episodic mass-exploitation campaigns that weaponise a single zero-day in a widely deployed managed-file-transfer (MFT) or enterprise application and hit dozens-to-hundreds of organisations at once, rather than the steady drip of a conventional RaaS. The group has progressively shifted from encrypt-and-extort to data-theft-only extortion, naming victims on its leak site and threatening publication. CISA/FBI joint advisory AA23-158A attributes the MOVEit campaign to Cl0p/TA505.

Tradecraft¶

Mass-exploitation playbook: Identifies and stockpiles a zero-day in a high-deployment file-transfer/enterprise platform, then detonates it across the entire exposed install base in a compressed window. Confirmed campaigns: Accellion FTA (2020-21), GoAnywhere MFT / CVE-2023-0669 (2023), MOVEit Transfer / CVE-2023-34362 (2023, 2,700+ orgs / 90M+ individuals), Cleo MFT / CVE-2024-50623 (Dec 2024), and Oracle E-Business Suite / CVE-2025-61882 (CVSS 9.8, exploited from Aug 2025).
Extortion model: Increasingly exfiltration-only — sends extortion emails to executives, lists victims on the Cl0p DLS, and publishes data if unpaid. Ransom demands reported in the seven- and eight-figure range, up to ~$50M.
Initial access: Public-facing application zero-days (primary); historically TA505 spam/loader infrastructure (Get2, SDBbot, FlawedAmmyy) for broader intrusions.
Living-off-the-land: Web shells on compromised MFT appliances for staging and exfiltration; minimal on-host footprint in data-theft-only operations complicates detection.

Notable victims¶

Oracle E-Business Suite campaign (2025-26) — 100+ organisations estimated impacted via CVE-2025-61882; ~30 named on the Cl0p DLS including Logitech, The Washington Post, Cox Enterprises, Pan American Silver, LKQ Corporation, Copeland. SecurityWeek · Google Threat Intelligence
MOVEit Transfer campaign (2023) — CVE-2023-34362 mass exploitation; 2,700+ organisations and 90M+ individuals affected; one of the largest data-theft events on record. CISA AA23-158A
Cleo MFT campaign (Dec 2024) — CVE-2024-50623 exploited across exposed Cleo Harmony/VLTrader/LexiCom appliances. Cybersecurity Dive

Assessment¶

Cl0p is the defining practitioner of opportunistic mass extortion: it does not need to be the most prolific group month-to-month because a single campaign can eclipse a year of conventional RaaS output. The 2025-26 pivot to Oracle EBS confirms the model is intact and that the group continues to find and operationalise high-value enterprise zero-days faster than vendors and defenders can close them. The strategic risk is concentration: any organisation running an internet-exposed MFT or ERP platform is a latent Cl0p victim the moment the next zero-day drops. Mitigation is structural — minimise internet exposure of file-transfer/ERP systems, patch on emergency timelines, and monitor for anomalous bulk data egress. Treat any unpatched Oracle EBS instance as presumed-compromised.

Sources¶

🗂️ Attacks & victims¶

All disclosed victims attributed to this actor, newest first.

No attacks recorded yet.

← All threat actors · Full victim database →