RansomwareEDP  /  Threat Actor Library
Developed by Reno  •  Analytical profiles compiled from open-source intelligence
Threat Actor Profile — Last updated May 2026
Cl0p
Data Extortion  •  Mass MFT Exploitation  •  TA505 / FIN11 Ecosystem
Critical Threat Fully Operational RaaS
First Observed
Feb 2019
87+ months active
Major MFT Campaigns
5
Accellion, GoAnywhere, MOVEit, Cleo, Oracle EBS
Estimated Revenue
$500M+
All campaigns; partial visibility
MOVEit Campaign (est.)
$75-100M
2023 peak; single campaign
2023 DLS Victims
384
Confirmed breach count
LE Disruptions
Partial
2021 Ukraine arrests; activity resumed
Lineage
TA505
CryptoMix descendant
01

Executive Summary & Group Overview

Cl0p is a Russian-speaking, financially motivated ransomware and data extortion operation that has operated since February 2019 within the TA505/FIN11 crimeware ecosystem. The group is most distinguished by its repeated, large-scale exploitation of zero-day vulnerabilities in managed file transfer (MFT) products, enabling simultaneous compromise of hundreds of organizations per campaign. By 2023, Cl0p had largely abandoned traditional ransomware encryption in favor of pure data theft and extortion, making it a principal driver of the industry-wide shift toward encryption-less supply chain attacks.

Five confirmed mass MFT campaigns (Accellion FTA 2020-2021, GoAnywhere MFT 2023, MOVEit Transfer 2023, Cleo 2024-2025, Oracle E-Business Suite 2025) have collectively resulted in an estimated $500M+ in extortion revenue and the compromise of tens of thousands of organizations. The group maintains a Tor-hosted leak site branded "CL0P^_-LEAKS" and has demonstrated consistent operational resilience following law enforcement actions. As of May 2026, Cl0p remains fully operational and continues to pursue new MFT and enterprise software zero-days.

AttributeDetail
Primary aliasesTA505 (Proofpoint/CISA); Lace Tempest (Microsoft); Graceful Spider (CrowdStrike); FIN11 (Mandiant/GTIG); GOLD TAHOE (Secureworks CTU)
Naming origin"Cl0p" from Russian word klop (клоп): bed bug, a blood-feeding parasite that operates at night (CONFIRMED via Cyberint/Cybereason reporting)
LineageCryptoMix ransomware evolution; operates within TA505/FIN11 crimeware ecosystem since at least 2019
Operational modelRaaS with data extortion; encryption-less exfiltration-only model since ~2023
Extortion mechanicData theft followed by DLS publication threat; multi-extortion in earlier campaigns
Assessed jurisdictionRussia / CIS region (CREDIBLE; multiple vendor assessments, CIS exclusion behavior)
LE disruption statusPartial (Nov 2021 Ukraine arrests); core leadership and operations intact as of May 2026
Decryptor availabilityLinux/ELF variant: free decryptor available (SentinelOne, Feb 2023). Windows variants: no public universal decryptor.
Data Leak Site & Branding
02

Lineage & Organizational Heritage

Origins: CryptoMix Evolution
Confirmed

Cl0p first appeared in February 2019 as an evolution of the CryptoMix ransomware family. Early binary analysis confirmed code reuse and cryptographic implementation similarities between the two strains, indicating direct lineage rather than independent development. CryptoMix itself was a well-established ransomware-as-a-service operation prior to Cl0p's emergence. The CryptoMix-to-Cl0p transition represents iterative malware development within the same criminal infrastructure rather than a distinct group spin-up.

TA505 / FIN11 Heritage
Credible: Multiple independent vendor and government sources converge

The predominant analytical consensus treats Cl0p as a ransomware brand and tool operated primarily by the TA505/FIN11 crimeware ecosystem. TA505, tracked by Proofpoint since at least 2014-2015, is a large-scale phishing and malware distribution operation historically associated with Dridex, FlawedAmmyy RAT, and the Get2/SDBbot loader chain. FIN11, the Mandiant designation for the overlapping financial crime cluster, has been formally linked to all major Cl0p campaigns from Accellion through Oracle EBS.

Government advisories (CISA/FBI #StopRansomware AA23-158A, Canadian Centre for Cyber Security TA505/Cl0p profile) explicitly designate TA505 as the operator of Cl0p ransomware. The convergence of phishing infrastructure, malware loader chain, and data extortion branding under a single attribution is well-supported. Confidence is medium-to-high based on infrastructure, TTP, and financial flow overlap; definitional distinctions between TA505 and FIN11 at the organizational level remain a modeling choice rather than a factual disagreement between vendors.

Evidentiary Pillars
Pillar 1 — Confirmed
Code Lineage and Shared Tooling
Binary analysis confirms Cl0p evolved from CryptoMix with shared cryptographic structures. TA505 tooling (Get2 loader, SDBbot/SDBOT, FlawedAmmyy RAT, Cobalt Strike) appears across all Cl0p intrusion campaigns. Shared loader infrastructure is the strongest single evidentiary pillar for ecosystem attribution. [1][11][13]
Pillar 2 — Confirmed
Formal Government Attribution
CISA/FBI (AA23-158A), the US DoJ, and the Canadian Centre for Cyber Security have each published formal attributions linking Cl0p ransomware campaigns to TA505. Government advisories represent multi-agency intelligence synthesis and carry the highest corroboration weight available in open-source material. [4][5][2]
Pillar 3 — Confirmed (Mandiant attribution)
FIN11 / UNC Cluster Linkage
Mandiant/Google GTIG formally attributed Accellion FTA exploitation to UNC2546 (now associated with FIN11). The 2024 Cleo campaign was attributed to FIN11 cluster UNC5936. The 2025 Oracle EBS campaign used GOLDVEIN.JAVA, a Java-based loader consistent with UNC5936/FIN11 tooling. Mandiant has not formally merged these UNC clusters into a single named group as of mid-2026. [SentinelOne][GTIG]
Pillar 4 — Credible
Operational Pattern and CIS Safe-Harbor
Cl0p samples include locale-based exclusions for Russian and CIS language environments. Operator communications occur in Russian on closed forums. Campaigns have never targeted organizations in Russia or allied CIS states. This pattern aligns with the well-documented Russian cybercrime safe-harbor model: tolerated domestically so long as foreign targets only are pursued. [7][1][3]
Vendor Designation Disambiguation

Multiple vendor tracking names appear in reporting on Cl0p, with important distinctions between parent-cluster designations and Cl0p-specific aliases:

Vendor / BodyDesignationScopeNotes
ProofpointTA505Parent cluster (Dridex, Cl0p, FlawedAmmyy ecosystem)Proofpoint's original designation; broadly adopted by government bodies
Mandiant / Google GTIGFIN11Financially motivated cluster overlapping TA505; Cl0p campaigns formally attributedAlso tracks sub-clusters UNC2546 (Accellion), UNC5936 (Cleo/Oracle EBS)
MicrosoftLace TempestCl0p-specific; "Tempest" = financially motivated in Microsoft taxonomyPreviously DEV-0950; Lace Tempest is the current stable alias for Cl0p operators
CrowdStrikeGraceful SpiderCl0p-specific adversary profileAttributed MOVEit and Oracle EBS campaigns with moderate confidence [SecurityAffairs, 2025]
Secureworks CTUGOLD TAHOEPrimary Cl0p operator clusterAlso references GOLD NIAGARA as a secondary cluster also deploying the Cl0p payload
SophosCites GOLD TAHOE / GOLD NIAGARAUses Secureworks CTU designations in published reportingSophos reporting confirmed GOLD NIAGARA as a distinct cluster deploying Cl0p (single-vendor at time of writing)
CISA / FBI"CL0P Ransomware Gang" / TA505Operational brand + parent clusterMOVEit advisory AA23-158A is the definitive US government attribution document
Canadian CCCSTA505 / Cl0p profileParent cluster designation consistent with CISA framingPublished dedicated TA505/Cl0p profile with TTP detail
Disambiguation rule: TA505 and FIN11 describe the broader criminal ecosystem from which Cl0p originates. The operationally specific aliases for the Cl0p actor are Lace Tempest (Microsoft), Graceful Spider (CrowdStrike), GOLD TAHOE (Secureworks), and FIN11/UNC5936 (Mandiant). Do not substitute parent-cluster names for group-specific designations in attribution statements.
GOLD NIAGARA: Secondary Cluster Assessment
Credible (single-vendor; requires cross-vendor corroboration)

Sophos incident response data identified a second threat cluster, designated GOLD NIAGARA by Secureworks CTU, that deployed the Cl0p ransomware payload with TTPs and infrastructure patterns distinct from the primary GOLD TAHOE operator. This is consistent with a shared-tool or affiliate model in which the Cl0p binary is licensed or shared across multiple clusters. GOLD NIAGARA has not been independently confirmed by Mandiant, CrowdStrike, or Microsoft as of the time of this profile. Treat as credible but unverified at the cross-vendor level.

03

Operational Model

RaaS Structure and Affiliate Management

Cl0p operates as a Ransomware-as-a-Service enterprise with a core operator team responsible for malware development, zero-day research, and leak site infrastructure, and a separate affiliate layer that conducts network intrusions and manages victim negotiations. The core team draws on TA505's established phishing and loader distribution apparatus, enabling rapid scale-up across parallel victim sets in supply chain campaigns.

The affiliate revenue split is not reliably documented in open sources for Cl0p specifically. General RaaS benchmarks suggest 60/40 to 80/20 splits (affiliate/operator); any specific percentage seen in single-vendor blogs should be treated as low-confidence. Secureworks and Sophos confirm that at least two distinct clusters (GOLD TAHOE, GOLD NIAGARA) have independently deployed the Cl0p payload, consistent with a shared-tooling or sub-licensing model alongside an affiliate tier.

CREDIBLE: Affiliate model is structurally confirmed by multi-cluster deployment evidence and TA505's well-documented external recruitment via Russian-language cybercrime forums, emphasizing experience with network intrusions and access to large corporate environments.
Extortion Model Evolution

Cl0p's extortion approach has evolved materially across its operational lifetime:

  • 2019-2021 (Traditional double extortion): Network intrusion via phishing or compromised access, lateral movement, data exfiltration, ransomware deployment. Victims threatened with both non-recovery of encrypted files and DLS publication.
  • 2021-2022 (MFT pivot begins): Accellion FTA zero-days exploited for bulk data theft. Encryption step increasingly deprioritized in favor of speed and scale.
  • 2023-present (Encryption-less model): GoAnywhere, MOVEit, Cleo, and Oracle EBS campaigns conducted as pure exfiltration-and-extortion operations. No ransomware payload deployed. Cl0p publicly acknowledged this shift, framing it as a strategic choice to minimize operational footprint and reduce time-to-exfiltration.
Structural implication: Cl0p's encryption-less model breaks the assumption that ransomware groups require decryption leverage. Victims cannot recover through backups alone; the threat is purely reputational and regulatory from exposure of exfiltrated data. This model is faster, harder to attribute in real-time, and generates equivalent extortion leverage.
Negotiation and Communication Behavior

Victims receive ransom notes directing them to Tor-based contact portals or specific email addresses hosted on privacy-focused providers (ProtonMail, Tutanota). Unlike some RaaS operators, Cl0p historically has not published exact ransom amounts in notes, instead requiring victims to initiate contact before a demand is stated. This approach enables demand calibration based on victim size and industry.

Documented negotiation patterns include: staged data publication as leverage escalation; willingness to negotiate significantly downward from initial demands in exchange for prompt engagement; direct contact with known customers, partners, or shareholders of victimized organizations in select high-profile cases to amplify pressure; and adoption of torrents for data distribution beginning August 2023 to complicate takedown efforts against clearweb infrastructure.

Initial demands in high-impact supply chain incidents have been reported as very high (tens of millions USD) with material room for negotiation. Exact discount ranges are case-specific and rarely disclosed publicly; open-source visibility into specific negotiated outcomes is limited.

Data Publication Infrastructure

The "CL0P^_-LEAKS" site has been the group's primary extortion platform since approximately early 2020. Publication strategy is tiered: victim names appear first (often with partial redaction in the initial post), followed by data sample screenshots, followed by full data releases at escalating intervals. In August 2023, Cl0p added BitTorrent distribution of MOVEit-stolen data, making the data effectively uncensorable. This was a direct response to law enforcement and hosting provider pressure on their clearweb mirror sites established during the MOVEit campaign.

04

Technical Capabilities

Initial Access Vectors: MFT Zero-Day Campaign History

Cl0p's defining technical capability is the identification and weaponization of zero-day vulnerabilities in enterprise Managed File Transfer (MFT) products. Five confirmed campaigns spanning 2020-2025 follow an identical operational template: exploit MFT zero-day for unauthenticated remote access, deploy lightweight data theft tooling, exfiltrate high-value data, delete operational traces, and initiate extortion cycle. No encryption payload is deployed in post-2022 campaigns.

CampaignProductCVE(s)CVSSApprox. VictimsPeriod
Accellion FTA Accellion File Transfer Appliance (legacy) CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104 9.8 / 9.8 / 9.8 / 9.8 ~100-300 orgs Dec 2020 – Feb 2021
GoAnywhere MFT Fortra (formerly HelpSystems) GoAnywhere MFT CVE-2023-0669 7.2 (NVD) ~129 orgs Jan – Mar 2023
MOVEit Transfer Progress MOVEit Transfer CVE-2023-34362 9.8 (Critical) 2,000+ downstream; 384 confirmed DLS May – Jul 2023
Cleo MFT Cleo Harmony / VLTrader / LexiCom CVE-2024-50623, CVE-2024-55956 Critical 66+ named; total unknown (4,000+ Cleo customers at risk) Nov 2024 – Feb 2025
Oracle EBS Oracle E-Business Suite (Concurrent Processing) CVE-2025-61882 9.8 (Critical) Dozens confirmed; campaign ongoing at time of profile Jul – Oct 2025
CVE-2023-0669 (GoAnywhere) note: NVD CVSS score is 7.2. Some vendor reporting uses higher scores based on the effective exploitability in production environments. The lower NVD score reflects the requirement for administrative interface access in the base condition; however, the vulnerability was pre-authentication exploitable in many observed deployments.
LEMURLOOT Web Shell (MOVEit Campaign)
Confirmed: CISA AA23-158A, multiple vendors

In the MOVEit campaign, Cl0p/TA505 deployed the LEMURLOOT web shell after exploiting CVE-2023-34362. LEMURLOOT is a custom ASP.NET web shell specifically engineered for the MOVEit Transfer application. Its capabilities include: extracting Azure system settings and associated keys/tokens from the MOVEit configuration database; exporting database contents including stored files and user metadata; creating unauthorized administrative accounts; and maintaining persistent access post-initial exploitation. LEMURLOOT was designed for MOVEit specifically and represents purpose-built tooling rather than commodity malware, indicating substantial pre-campaign development investment. [5][4]

GOLDVEIN Malware (Cleo and Oracle EBS Campaigns)
Credible: Mandiant/Google GTIG attribution, 2025

The 2024-2025 Cleo campaign and the 2025 Oracle EBS campaign both involved a Java-based in-memory loader designated GOLDVEIN.JAVA (Mandiant naming). This tool fetches and executes a second-stage payload without writing to disk, complicating forensic recovery. In the Oracle EBS campaign, GOLDVEIN.JAVA was launched from within the Oracle Concurrent Processing Java process, suggesting the tool is adapted per target application. The use of the same loader family across both Cleo and Oracle EBS campaigns is the primary technical link supporting Mandiant's attribution of both to FIN11 cluster UNC5936. [Google Cloud Blog, Mandiant, 2025]

Persistence, Lateral Movement, and Post-Exploitation Tooling

In traditional intrusion-based campaigns (pre-2022), Cl0p-aligned operators employed the following post-exploitation toolkit:

  • Get2 loader: Initial-stage loader delivered via phishing; fetches SDBOT/SDBbot and additional tools
  • SDBbot (SDBOT): Remote access trojan used for persistent access, credential harvesting, and lateral movement preparation
  • FlawedAmmyy RAT: Remote access tool based on leaked Ammyy Admin source code; used for interactive control of compromised systems
  • Cobalt Strike Beacon: Commercial post-exploitation framework widely abused by ransomware actors; used for C2 and lateral movement
  • Native Windows utilities: PsExec (remote execution), net.exe (service manipulation), taskkill.exe (process termination), vssadmin.exe (shadow copy deletion), wmic.exe (WMI-based execution)

In MFT zero-day campaigns, the toolset is dramatically simplified. Cl0p deploys a purpose-built web shell or in-memory loader directly against the target application, exfiltrates targeted data, and withdraws with minimal lateral movement. This lean profile makes traditional lateral movement indicators less reliable as detection tripwires in MFT campaigns.

Encryption Implementation

When deploying traditional ransomware (pre-2023 campaigns), Cl0p uses a combination of AES-256 for file content encryption with RSA key wrapping. Victim-specific binaries embed a unique 1024-bit RSA public key. The encryption process: reads target files into memory, encrypts using Windows CryptoAPI with AES, writes encrypted data to new file, deletes the original. Encrypted files receive a .Clop, .Cl0p, or .Cllp extension. Shadow copies are deleted or resized via vssadmin.exe to prevent recovery.

Platform Variants and CIS Exclusion Behavior
VariantTargetEncryptionCIS ExclusionDecryptor Available
Windows PEWindows endpoints and serversAES-256 + RSA-1024 key wrapYes: locale/keyboard check; halts on Russian/CIS systemsNo universal decryptor. Victim-specific keys required.
Linux ELFLinux servers (first observed Dec 2022)Flawed RC4 implementation: RC4 key encrypted with hardcoded RC4 master key instead of RSABehavior varies by buildYes: SentinelOne released free decryptor Feb 2023 based on RC4 logic flaw [SentinelOne Labs]
ESXiVMware ESXi hypervisorsReported flaws in some variantsPartialPartial: SOCRadar reported decryptors for specific variants; no universal tool
CONFIRMED: SentinelOne Labs released a free decryptor for the Cl0p Linux ELF variant on February 7, 2023. The flaw: the RC4 encryption key was encrypted with a hardcoded RC4 master key rather than the RSA scheme used in the Windows variant. This allowed researchers to derive encryption keys without the private RSA key. The Windows variant has no equivalent flaw and no public universal decryptor exists.
05

Financial Infrastructure

Payment Model

Cl0p demands payment primarily in Bitcoin. Some reporting indicates occasional use of Monero or other privacy coins in specific negotiations, but Bitcoin remains the dominant and most documented payment mechanism across all five confirmed campaigns. Victim-specific payment wallets are used rather than a shared address, complicating aggregate tracking.

Ransom demand calibration is victim-specific: rather than publishing a fixed price, the group requires victims to make contact, after which demand amounts are established based on apparent victim size, sector, and data sensitivity. Documented high-profile demands have been in the tens of millions USD range; many smaller victims receive lower initial demands. Negotiations proceed on Tor-based portals or via encrypted email.

On-Chain Laundering Architecture
Credible: Chainalysis ransomware reports 2024-2025; TRM Labs; partial on-chain visibility
1
Collection (Victim Payment Wallets)
Victims pay to victim-specific Bitcoin addresses. Wallets are rotated per victim to complicate aggregate attribution. Payment addresses are typically generated fresh for each negotiation cycle.
2
Consolidation (Peeling Chains)
Received funds are rapidly moved through intermediary addresses in "peeling chain" patterns: sequential hops through multiple wallet addresses to break direct on-chain linkage between victim payment and destination. Blockchain analytics firms (Chainalysis, TRM Labs) have identified these patterns across multiple Cl0p campaigns.
3
Obfuscation (Mixers and OTC Brokers)
Intermediate funds are processed through cryptocurrency mixers and over-the-counter (OTC) brokers operating in permissive jurisdictions. This step severs the traceable chain between victim payment and fiat conversion. Chainalysis reporting notes increased law enforcement pressure on mixing services has constrained some cash-out options, though Cl0p has adapted by diversifying obfuscation methods.
4
Exit (Exchange-to-Fiat)
Final conversion to fiat currency occurs through high-liquidity exchanges in jurisdictions with limited AML enforcement, or through peer-to-peer OTC channels. Chainalysis's 2025 and 2026 ransomware reports identify Cl0p as one of the major ransomware beneficiaries by total on-chain extortion volume but do not publish complete wallet maps for operational security reasons.
Blockchain Forensics: Published Findings
FirmFindingConfidence
ChainalysisCl0p credited as one of the major ransomware beneficiaries in 2023-2025 reports. MOVEit campaign projected to yield $75-100M in extortion revenue. Total estimated revenue exceeds $500M across all campaigns. Increased LE and compliance pressure noted as constraining some cash-out efficiency. [Chainalysis 2025 Crypto Crime Report; 2026 Ransomware Report]CREDIBLE: published in Chainalysis annual reports; methodology notes partial visibility caveat
TRM LabsOn-chain analysis consistent with professional laundering network access. 2025 Crypto Crime Report documents Cl0p within broader ransomware ecosystem data. No standalone Cl0p-specific wallet cluster published as of May 2026.CREDIBLE: Published reporting; no specific Cl0p cluster disclosed
EllipticNo standalone Cl0p-specific blockchain analysis confirmed in public reporting as of profile date.No published Elliptic-specific Cl0p attribution in open sources
OFAC Sanctions Status
Analyst Inference: no explicit OFAC "Cl0p" designation confirmed in open sources

OFAC has sanctioned numerous wallets and entities associated with major ransomware groups (e.g., Evil Corp, Conti-linked individuals). Open sources do not consistently list a fully public, named set of Cl0p-exclusive OFAC designations as of May 2026. The November 2021 Ukraine arrests (see Section 07) did not generate OFAC action against specific Cl0p leadership at the time. Any claim of specific OFAC-listed wallet addresses as "definitively Cl0p" should be treated as low-to-medium confidence unless supported by explicit OFAC documentation.

The US DoJ offered a $10 million reward for information leading to the identification or location of key Cl0p leadership following the MOVEit campaign in 2023. This reward, rather than a formal indictment or sanction, reflects the continued inability to attribute the operation to named individuals with prosecutorial-grade confidence.

06

Victim Profile & Targeting

Scale Metrics
Estimated Total Orgs Compromised
11,000+
Vendor estimates; partial visibility
Estimated Total Extortion Revenue
$500M+
All campaigns; based on Chainalysis partial visibility
MOVEit Peak Revenue (est.)
$75-100M
Single campaign; 2023
2023 DLS Confirmed Breaches
384
DLS postings; not all victims listed
Sector Targeting

Cl0p does not maintain a narrow vertical focus. Targeting is driven by two primary selection criteria: (1) use of vulnerable MFT or enterprise software products, and (2) capacity to pay a substantial ransom based on organizational size and data sensitivity. Sectors impacted across all confirmed campaigns include:

  • Finance and banking (including insurance, credit unions)
  • Healthcare and pharmaceutical (hospitals, health systems, pharma R&D)
  • Education (universities, school districts, research institutions)
  • Government agencies and municipalities (state, local, federal)
  • Manufacturing, retail, and consumer goods
  • Energy and utilities
  • Technology and professional services (law firms, consultancies, IT managed services)
  • Transportation and logistics

Healthcare and education institutions have been disproportionately represented in the MOVEit and Accellion campaigns because those sectors have high MFT product adoption and often less mature patch management processes relative to their large data holdings.

Geographic Distribution

Victims span North America (US dominant), Europe (UK, Germany, France, Netherlands prominent), Asia-Pacific, and Latin America. Notable concentrations in US, UK, Canada, and Western Europe reflect both the geographic distribution of MFT product customers and the higher payment capacity of organizations in those jurisdictions.

No confirmed victims in Russia or CIS member states. Cl0p maintains documented locale exclusions in its Windows malware preventing execution on Russian and select CIS-configured systems. This is consistent across all confirmed campaign periods.

Notable Victims by Campaign
CampaignSelected VictimsData Type Exposed
Accellion FTA (2020-21)Reserve Bank of New Zealand, Kroger, Qualys, Shell, University of Colorado, University of California, Stanford Medicine, multiple law firmsCustomer records, financial data, legal documents, PII
GoAnywhere MFT (2023)Community Health Systems, Hatch Bank, Procter & Gamble, City of Toronto, Rubrik, HitachiPHI, financial records, HR data, corporate documents
MOVEit Transfer (2023)BBC, British Airways, Shell, Ernst & Young, NYC Department of Education, Norton LifeLock, UCLA, Siemens Energy, Delta Dental, Michigan State University, Massachusetts teachers' pension fund (3.5M individuals)PII, payroll, student records, employee benefits data, financial records
Cleo MFT (2024-25)Blue Yonder (major supply chain software provider; affected 14+ Tier-1 retailers); 66+ additional companies named on DLSSupply chain operational data, logistics records, vendor/customer PII
Oracle EBS (2025)Dozens of enterprise organizations using Oracle Concurrent Processing; specific names withheld pending ongoing campaign assessmentERP/financial data, HR records, operations data
Stated Targeting Policy vs. Operational Reality
Credible (stated exclusions); Confirmed (violations in practice)

Cl0p has publicly claimed (via DLS announcements and negotiation communications) to exclude from targeting: military organizations, children's hospitals, and certain government bodies. The group has also claimed willingness to delete data belonging to these categories if inadvertently obtained. In operational reality, these claims are inconsistent and unreliable: healthcare institutions (including entities serving pediatric populations) and government agencies have appeared regularly on the DLS across all five campaigns. The exclusion claims function as reputational management rather than systematic policy.

07

Law Enforcement & Regulatory Response

November 2021: Ukraine Arrests
Credible: Multiple international reporting agencies; suspect identities not fully disclosed

In November 2021, Ukrainian National Police, working in coordination with Interpol, US law enforcement, and South Korean authorities, arrested six individuals alleged to have participated in Cl0p ransomware attacks against South Korean companies and US academic institutions. Physical assets seized included cash, vehicles, and computer equipment. The operation was publicly framed as a significant blow to the Cl0p infrastructure.

Operational impact was minimal and short-lived. Cl0p's DLS activity rebounded within weeks of the arrests. Sophos incident response data confirmed continued campaign activity post-November 2021, indicating the arrests targeted lower-tier operators (affiliates, money mules, infrastructure managers) rather than core development and leadership. No public record of convictions or prosecutorial outcomes for the six arrested individuals has appeared in English-language open sources as of May 2026.

US $10 Million Reward Offer (2023)

Following the MOVEit campaign, the US Department of State's Rewards for Justice program offered a $10 million reward for information leading to the identification or location of individuals operating as key Cl0p leadership. This offer is legally and analytically distinct from an indictment or sanction: it reflects the inability to attach prosecutorial-grade attribution to specific named individuals despite substantial intelligence-community knowledge of the operation. The reward remains active as of May 2026.

CISA and Multi-Agency Advisories
AdvisoryDateScope
AA23-158A: #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit VulnerabilityJune 2023Definitive US government attribution of MOVEit campaign to Cl0p/TA505; TTPs, IOCs, mitigations
Canadian CCCS Profile: TA505/Cl0p2022 (updated)Full TTP and attribution profile; formal government-level attribution of Cl0p operations to TA505
CISA Accellion FTA AdvisoryMarch 2021Joint US/Australian/UK/New Zealand advisory on Accellion FTA exploitation; TTPs attributed to TA505-linked actors
FBI Flash: Cl0p Ransomware IndicatorsMultiple 2021-2023IOC releases and victim notification campaigns following each major campaign cycle
Regulatory Downstream Impact

The Cl0p MOVEit campaign in particular has generated substantial regulatory and supervisory downstream activity, particularly in the healthcare and financial sectors. HHS/OCR opened multiple investigations against healthcare organizations that used MOVEit and experienced breaches. SEC disclosure requirements were invoked for publicly traded companies that reported material MOVEit-related incidents. The campaign has become a case study in third-party and supply chain risk management in virtually every sector's cybersecurity regulatory guidance updated since 2023. No "Cl0p-specific" regulations have been enacted; impact has been absorbed into broader supply chain risk and vendor oversight frameworks.

No Additional Disruptions Post-2021
Confirmed: No indictments, domain seizures, infrastructure takedowns, or OFAC designations specifically targeting Cl0p have been publicly announced since the November 2021 Ukraine arrests as of May 2026.

This operational continuity through three major campaign cycles (GoAnywhere, MOVEit, Cleo, Oracle EBS) following the 2021 arrests confirms that the arrested individuals were not core to Cl0p's operational capability. The group's leadership, technical infrastructure, and zero-day research capacity remain intact.

08

Attribution & State Nexus

Jurisdiction Assessment
Credible: Multiple independent vendor assessments; government advisories consistent

Cl0p is assessed with high confidence as operating from within Russia or a Russian-aligned CIS jurisdiction, based on: consistent Russian-language operator communications; absence of any confirmed victims in Russia or CIS member states across 87+ months of operation; explicit locale-based CIS exclusions coded into malware; laundering infrastructure consistent with access to Russian-aligned OTC networks; and operator recruitment via Russian-language cybercrime forums.

The Canadian CCCS assessment describes TA505 (the parent cluster) as "almost certainly a financially motivated, Russian-speaking, RaaS cybercrime group very likely based in a CIS country." This language represents the outer boundary of government-level attribution confidence for an unindicted group. No US government document has attributed Cl0p to specific Russian Federation territory with the same specificity available for, e.g., state-sponsored APT groups operating under FSB or GRU mandate.

Russian Intelligence Service (RIS) Relationship Assessment
Analyst Inference: No confirmed direct RIS nexus in open sources

Cl0p is assessed as a financially motivated criminal organization operating within a Russian safe-harbor environment. Evidence for direct FSB, SVR, or GRU tasking or coordination is not present in public reporting. Key indicators that would support a state nexus assessment are absent:

  • No documented targeting of geopolitically strategic entities consistent with Russian state intelligence priorities (NATO infrastructure, Ukrainian government, Western defense contractors in a non-financial context)
  • No evidence of data sharing between Cl0p operators and Russian state intelligence services
  • No publicly disclosed government assessment from Five Eyes partners indicating state direction of Cl0p operations

The CIS exclusion behavior is consistent with Russian government's informal "do not target the near-abroad" norm applied to tolerated cybercriminals, rather than with active state direction. This tolerance model confers a functional safe harbor without constituting a command relationship.

Analytical caution: Claims that Cl0p is "state-sponsored" should be treated as low-confidence unless citing specific, documented joint operations or direction. No mainstream threat intelligence publication or government advisory as of May 2026 has made this claim.
Named Individuals

No Cl0p core operator or leadership figure has been publicly identified by name with prosecutorial-grade confidence in open sources. The six individuals arrested in Ukraine in November 2021 were described in public reporting as participants in the Cl0p "racket," but their specific roles, identities, and case outcomes have not been consistently documented in English-language open sources. No sealed or public US federal indictments naming Cl0p leadership have been identified as of May 2026. This absence of named individuals distinguishes Cl0p from comparably impactful groups such as LockBit, Evil Corp, and Conti, where at minimum some leadership-level attribution has been achieved.

09

Trajectory Assessment

Operational Resilience Signals

Cl0p has demonstrated exceptional resilience across all observed disruption events. The November 2021 Ukraine arrests produced no measurable operational degradation beyond a brief pause in DLS activity. The group subsequently executed three additional major supply chain campaigns of equal or greater scale (GoAnywhere, MOVEit, Cleo), each representing expanded technical capability and victim volume relative to the prior cycle. This pattern confirms that the 2021 arrests removed peripheral personnel while leaving the zero-day research and development function, financial management, and core operational leadership intact.

Operational Evolution: Key Trajectory Indicators
PhasePeriodDominant TTPDistinguishing Feature
Phase 1: Traditional RaaS2019-2020Phishing-to-loader-to-ransomwareStandard double extortion; CryptoMix-derived payload
Phase 2: MFT Pivot (Encryption)2020-2022MFT zero-day + bulk exfiltration + encryptionAccellion FTA; 4 CVEs; encryption still deployed on some targets
Phase 3: Encryption-Less Extortion2023MFT zero-day + bulk exfiltration onlyGoAnywhere and MOVEit campaigns; highest victim volume and revenue to date
Phase 4: Distributed Infrastructure2023 (Aug onward)Exfiltration + torrent-based data distributionBitTorrent used for MOVEit data to evade takedowns; clearweb mirrors supplemented by P2P
Phase 5: Diversified Target Portfolio2024-2025MFT (Cleo) + ERP zero-day (Oracle EBS)Expansion beyond pure MFT products; GOLDVEIN malware indicates new tooling investment
Rebranding and Rebrand Signals

Unlike Conti (which dissolved publicly in May 2022), REvil (multiple shutdowns with eventual rebrand attempts), or LockBit (partially disrupted in 2024), Cl0p has shown no documented indication of brand shutdown or rebrand intent as of May 2026. Internal leaks comparable to the Conti chat dumps have not appeared for Cl0p. The group has operated continuously under the same brand, DLS, and operational identity for 87 months, making it one of the longest-running continuous ransomware brands in the threat landscape.

The existence of GOLD NIAGARA as a separate cluster using the Cl0p payload (Sophos/Secureworks CTU) does not indicate internal fragmentation; it is consistent with the affiliate model. The Cl0p brand itself shows no sign of the internal tensions or leadership conflict that preceded Conti's dissolution.

Connected Group Cluster
Group / ClusterRelationshipAnchor ConfidenceExtension ConfidenceVendor Coverage
TA505 Parent crimeware ecosystem; Cl0p is a product within the TA505 operational portfolio CONFIRMED N/A (anchor claim) Proofpoint, CISA/FBI, Canadian CCCS, Malpedia; broad multi-vendor consensus
FIN11 / UNC5936 Mandiant overlapping cluster; formally attributed all major Cl0p campaigns via UNC designations CONFIRMED (campaign attribution) CREDIBLE (organizational equivalence with TA505) Mandiant/Google GTIG: published campaign attributions; TA505/FIN11 equivalence is an industry-level analytical consensus
GOLD NIAGARA Secondary cluster also deploying Cl0p payload; distinct TTPs from GOLD TAHOE CREDIBLE LOW-MEDIUM (single-vendor; Sophos citing Secureworks CTU) Sophos (citing Secureworks CTU); not independently confirmed by Mandiant, CrowdStrike, or Microsoft as of May 2026
UNCA2546 / UNCA2582 Affiliate clusters referenced in Halcyon reporting as Cl0p-linked LOW-MEDIUM LOW Halcyon: single vendor; limited technical detail in open sources; treat as unverified pending cross-vendor confirmation

Neither Mandiant nor Recorded Future has published a formal assessment specifically evaluating GOLD NIAGARA as a standalone Cl0p-linked cluster distinct from GOLD TAHOE as of this profile's publication date.

Outlook and Intelligence Gaps

Cl0p is assessed as likely to remain a top-tier global extortion actor through at least 2026-2027. The group's demonstrated pattern of expanding its zero-day research capability to cover new product categories (ERP with Oracle EBS) beyond its historical MFT focus indicates growing technical resources and investment. The continued absence of successful law enforcement action against core leadership removes the primary disruption risk that has degraded comparable actors (LockBit, Conti).

Key intelligence gaps that constrain higher-confidence assessments:

  • Identity, location, and current status of core leadership: entirely unconfirmed in public sources
  • Precise revenue attribution: all figures based on partial blockchain visibility; actual revenue may be materially higher or lower
  • Affiliate split structure and total affiliate count: inferred from general RaaS norms, not directly documented for Cl0p
  • GOLD NIAGARA organizational relationship: single-vendor claim pending cross-vendor validation
  • Current zero-day research pipeline: no public intelligence on which MFT or enterprise products are under active Cl0p assessment
10

Recent Reporting

Loading recent intelligence reporting…
REF

Sources & References

Government and Law Enforcement
[2]Canadian Centre for Cyber Security, Profile: TA505 / CL0P Ransomware
Vendor Research
[4]Mandiant / Google GTIG, Oracle E-Business Suite Zero-Day Exploitation, 2025
[7]Cyberint (Check Point), CL0P Ransomware: The Latest Updates, updated February 2025
[8]Halcyon, Cl0p Threat Group Profile, 2024/2025
[9]SOCRadar, Dark Web Threat Profile: CLOP Ransomware, updated 2026
[12]Kaspersky, What is Cl0p Ransomware?, 2023
CVE and Vulnerability References
[15]NVD/NIST, CVE-2023-34362 Detail (MOVEit Transfer SQL Injection, CVSS 9.8)
[16]NVD/NIST, CVE-2023-0669 Detail (GoAnywhere MFT Pre-Auth Command Injection, CVSS 7.2)
Blockchain and Financial
News and Analysis