cl0p

Threat Actor updated 7 months ago (2024-05-04T18:46:04.761Z)

Download STIX

Preview STIX

Cl0p is a threat actor group that has emerged as the most used ransomware in March 2023, dethroning LockBit. The group has successfully exploited zero-day vulnerabilities in the past, but such attacks are relatively rare. Recent research by Malwarebytes highlights the bias of ransomware gangs for attacking English-speaking countries, and the Cl0p campaign follows the same trend. The Cl0p ransomware syndicate launched a cyberattack against several federal agencies and organizations in the US by exploiting weaknesses in MOVEit Transfer, a common file transfer platform. The group claims credit for several other cyberattacks in the past, including British Airways, Shell, and the governments in Minnesota and Illinois. The victims of the recent attack were given until Wednesday to negotiate a ransom or risk having sensitive stolen data dumped online. Many experts believe that the attacks are coming from the Cl0p Ransomware Gang, which is known to demand multimillion-dollar ransoms. The group has also been observed emailing stakeholders and customers of their victims, informing them that even their data will be leaked. Despite the successful attacks by Cl0p, the use of zero-day vulnerabilities remains relatively rare.

Description last updated: 2023-06-19T05:23:11.474Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
TA505 is a possible alias for cl0p. TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersec	3
Clop is a possible alias for cl0p. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitin	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Moveit

Vulnerability

exploited

Ransom

exploitation

Papercut

Mft

Extortion

Malware

Payload

flaw

CISA

T1190

Exploit

Cybercrime

Backdoor

Cobalt Strike

Windows

Government

bugs

RaaS

Linux

Microsoft

Phishing

Encryption

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Get2 Malware is associated with cl0p. Get2 is a type of malware, harmful software designed to infiltrate and damage computer systems or devices. It can be unknowingly downloaded through suspicious emails, downloads, or websites, enabling it to steal personal information, disrupt operations, or hold data hostage for ransom. Among the mos	Unspecified	2
The FlawedAmmyy Malware is associated with cl0p. FlawedAmmyy is a notable malware, specifically a Remote Access Trojan (RAT), that has been leveraged by threat actors for malicious purposes. The malware is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites unbeknownst to the user.	Unspecified	2
The FlawedGrace Malware is associated with cl0p. FlawedGrace is a notorious malware, a remote access trojan (RAT), that has been used extensively in cyberattacks. It was first brought to light in June 2023 when The DFIR Report revealed its use in Truebot operations. In these operations, following the successful download of a malicious file, Truebo	Unspecified	2
The Lemurloot Malware is associated with cl0p. LemurLoot is a malicious software, or malware, specifically a web shell written in C# that targets the MOVEit Transfer platform. It was developed and deployed by the CL0P ransomware group to exploit vulnerabilities in systems and steal data. In May 2023, the group exploited a SQL injection zero-day	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-34362 Vulnerability is associated with cl0p. CVE-2023-34362 is a critical software vulnerability found in Progress Software's managed file transfer (MFT) solution, MOVEit Transfer. This flaw was an SQL injection vulnerability that allowed for escalated privileges and unauthorized access. The vulnerability became active on May 27, 2023, when it	Unspecified	5
The CVE-2023-0669 Vulnerability is associated with cl0p. CVE-2023-0669 is a serious software vulnerability that was identified in Fortra's GoAnywhere Managed File Transfer (MFT) secure file transfer tool. This flaw, which allowed for remote code execution, was exploited by the Clop ransomware group as a zero-day vulnerability. The group launched a major c	Unspecified	2

Source Document References

Information about the cl0p Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	CalPERS Latest Victim of MOVEit Hack with Data of Estimated 700K Members, Retirees Exposed \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	a year ago	New DoJ Cyber Prosecution Team Will Go After Nation-State Threat Actors
CERT-EU	a year ago	Avast, Norton Parent Latest Victim of MOVEit Ransomware Attacks
CERT-EU	a year ago	Hackers target DMV to expose data of 9.5 million people \| Digital Trends
CERT-EU	a year ago	Zero-Day-Lücke: Cl0p nennt weitere Opfer der MOVEit-Transfer-Schwachstellen
CERT-EU	a year ago	SQL injection vulnerability in MOVEit Transfer leads to data breaches worldwide
CERT-EU	a year ago	Progress Software hit with class action lawsuit over MOVEit hack
CERT-EU	a year ago	Zero-Day-Lücke: Cl0p nennt weitere Opfer der MOVEit-Transfer-Schwachstellen
CERT-EU	a year ago	MOVEIt Vulnerability: A Painful Reminder That Threat Actors Aren’t the Only Ones Responsible for a Data Breach - Security Boulevard
Malwarebytes	a year ago	US dangles $10 million reward for information about Cl0p ransomware gang
CERT-EU	a year ago	La empresa de ciberseguridad Norton Lifelock, se convierte en víctima de ransomware, ¡ Que dios salve a los clientes!
CERT-EU	a year ago	EY and PwC Among the Many Entities Caught Up in the MOVEit Cybersecurity Breach Ransom \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
DARKReading	a year ago	Fresh Ransomware Gangs Emerge As Market Leaders Decline
CERT-EU	a year ago	The US government is offering $10 million for tips about Cl0p ransomware
CERT-EU	a year ago	attack on BBC and BA offers glimpse into the future of cybercrime \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	a year ago	Moveit hack: attack on BBC and BA offers glimpse into the future of cybercrime
CERT-EU	a year ago	Datenleck: Verivox von MOVEit-Lücke betroffen
CERT-EU	a year ago	US authorities offer up to $10M for info on Clop ransomware
CERT-EU	a year ago	MOVEit Customers Urged to Patch Third Critical Vulnerability
CERT-EU	a year ago	Datenleck: Verivox von MOVEit-Lücke betroffen