Clop

Malware updated a month ago (2024-11-29T14:52:00.933Z)
Download STIX
Preview STIX
Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploiting a zero-day vulnerability, later designated CVE-2023-34362, in Progress Software's MOVEit secure file transfer software. This exploit was used to steal data from various government, public, and financial organizations worldwide. The Clop group's exploitation of vulnerabilities in the MOVEit software led to approximately 666 incidents, compromising names, Social Security numbers, Medicare identifiers, and more. The breach, which originated from the 2023 MOVEit attack by the Clop ransomware group, significantly impacted over 2,750 organizations and 94 million individuals. This campaign, known as CL0P’s MOVEit campaign, highlighted the importance of promptly patching vulnerabilities and securing Web-facing applications. The attacks resulted in an estimated profit between $75 million and $100 million for the Clop group. These profits were primarily derived from large ransoms paid by affected organizations in return for a promise not to leak their stolen data. According to ransomware incident response firm Coveware, this widespread exploitation and subsequent ransom demands demonstrated the significant threat posed by the Clop group to both individual users and large organizations.
Description last updated: 2024-11-15T15:57:00.472Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
CVE-2023-34362 is a possible alias for Clop. CVE-2023-34362 is a critical software vulnerability found in Progress Software's managed file transfer (MFT) solution, MOVEit Transfer. This flaw was an SQL injection vulnerability that allowed for escalated privileges and unauthorized access. The vulnerability became active on May 27, 2023, when it
13
TA505 is a possible alias for Clop. TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersec
9
Clop Ransomware Group is a possible alias for Clop. The Clop ransomware group, a malicious threat actor in the cybersecurity landscape, has been actively exploiting vulnerabilities in software to execute their attacks. The group is known for its harmful activities that involve the execution of actions with malicious intent. They could be individuals,
8
Truebot is a possible alias for Clop. Truebot is a malicious software (malware) utilized by the CL0P actors, designed to exploit and damage computer systems. This malware can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Truebot serves multiple purposes: it can dow
7
fin11 is a possible alias for Clop. FIN11, a threat actor group also known as Lace Tempest or TA505, has been linked to the development and deployment of Cl0p ransomware. This malicious software is believed to be a variant of another ransomware, CryptoMix, and is typically used by FIN11 to encrypt files on a victim's network after ste
7
Lace Tempest is a possible alias for Clop. Lace Tempest, a threat actor known for executing actions with malicious intent, has been identified as the orchestrator behind a series of cyber attacks exploiting a zero-day vulnerability in SysAid. The exploit was first brought to light by SysAid and further detailed in a blog post on TuxCare. Thi
6
cl0p group is a possible alias for Clop. The Cl0p group, a threat actor in the cybersecurity landscape, has been responsible for a significant surge in ransomware attacks. This group notably exploited a previously unknown SQL injection (SQLi) vulnerability in MOVEit's file-transfer application to steal data from companies. In 2023, they br
5
truebot malware is a possible alias for Clop. Truebot malware is a malicious software that infiltrates computer systems, often without the user's knowledge, to exploit and damage the device. It was primarily delivered by cyber threat actors via malicious phishing email attachments, but newer versions observed in 2023 also gained initial access
4
Blackbasta is a possible alias for Clop. BlackBasta is a notorious malware group that has emerged as a significant player in the ransomware space. The group has demonstrated an ability to adapt and evolve their tactics, making them a leading entity in the Russian-language ransomware domain. Initially, BlackBasta was observed using a botnet
3
cl0p is a possible alias for Clop. Cl0p is a threat actor group that has emerged as the most used ransomware in March 2023, dethroning LockBit. The group has successfully exploited zero-day vulnerabilities in the past, but such attacks are relatively rare. Recent research by Malwarebytes highlights the bias of ransomware gangs for at
2
Snakefly is a possible alias for Clop. Snakefly, also known as FIN11 and TA505, is a threat actor known for its malicious activities primarily aimed at organizations in North America and Europe. The group is financially motivated and has been active since at least early 2019. Snakefly is particularly associated with the deployment of Cl0
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Vulnerability
Moveit
Exploit
Ransom
Mft
Extortion
exploited
Zero Day
Exploits
Malware
exploitation
Encryption
flaw
Encrypt
Linux
Goanywhere
RaaS
Fortra
Cybercrime
Sysaid
Papercut
Cobalt Strike
Botnet
Health
Backdoor
Bitcoin
CISA
Remote Code ...
Data Leak
Phishing
Payload
Windows
Government
Web Shell
Microsoft
Sony
Siemens
Trojan
Sentinelone
bugs
Ransomware P...
Implant
University
Ofcom
Spam
Webshell
T1190
Education
Openssh
Sql
Colorado
Esxi
Worm
Downloader
Hospitals
Exploit Zero...
Tool
Lateral Move...
LOTL
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lockbit Malware is associated with Clop. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers oris related to
16
The Akira Malware is associated with Clop. Akira is a potent ransomware that has been active since 2023, known for its aggressive encryption tactics and swift deployment. This malware, which brings a unique '80s aesthetic to the dark web, has quickly risen in prominence within the cybercrime landscape. It has targeted hundreds of victims gloUnspecified
6
The Conti Malware is associated with Clop. Conti is a type of malware, specifically ransomware, which is designed to infiltrate and damage computer systems. This malicious software can enter systems through various methods such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personaUnspecified
5
The Lemurloot Malware is associated with Clop. LemurLoot is a malicious software, or malware, specifically a web shell written in C# that targets the MOVEit Transfer platform. It was developed and deployed by the CL0P ransomware group to exploit vulnerabilities in systems and steal data. In May 2023, the group exploited a SQL injection zero-day Unspecified
5
The Black Basta Malware is associated with Clop. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defensesUnspecified
4
The Nokoyawa Malware is associated with Clop. Nokoyawa is a prominent malware, specifically ransomware, that has been linked to numerous cybercrime activities since it first emerged in 2022. It has been associated with various other malware families including Quantum, Royal, BlackBasta, and a variety of others such as Emotet, IcedID, CobaltStriis related to
4
The FlawedGrace Malware is associated with Clop. FlawedGrace is a notorious malware, a remote access trojan (RAT), that has been used extensively in cyberattacks. It was first brought to light in June 2023 when The DFIR Report revealed its use in Truebot operations. In these operations, following the successful download of a malicious file, TrueboUnspecified
3
The REvil Malware is associated with Clop. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. ThUnspecified
3
The FlawedAmmyy Malware is associated with Clop. FlawedAmmyy is a notable malware, specifically a Remote Access Trojan (RAT), that has been leveraged by threat actors for malicious purposes. The malware is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites unbeknownst to the user. Unspecified
3
The Maze Malware is associated with Clop. Maze is a form of malicious software, or malware, that pioneered a novel double-extortion tactic in the cyber threat landscape. Its modus operandi involves stealing victims' files before encrypting them, thereby enabling the threat actors to threaten both the disruption of operations and the releaseUnspecified
3
The IceFire Malware is associated with Clop. IceFire is a malicious software (malware) that has been detected as part of the Linux ransomware family. It was initially known for attacking Windows systems, but recent developments have seen it expand its reach to both Linux and Windows systems. The shift by IceFire to target Linux systems worldwiUnspecified
3
The Raspberry Robin Malware is associated with Clop. Raspberry Robin is a sophisticated malware that uses advanced techniques to infiltrate and exploit computer systems. The malicious software is designed to stealthily enter a system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can wreak havoc by stUnspecified
3
The Hive Malware is associated with Clop. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostagUnspecified
3
The Qbot Malware is associated with Clop. Qbot, also known as Qakbot or Pinkslipbot, is a sophisticated malware that initially emerged in 2007 as a banking trojan. It has since evolved into an advanced strain used by various cybercriminal groups to infiltrate networks and prepare them for ransomware attacks. The first known use of an ITG23 Unspecified
2
The Get2 Malware is associated with Clop. Get2 is a type of malware, harmful software designed to infiltrate and damage computer systems or devices. It can be unknowingly downloaded through suspicious emails, downloads, or websites, enabling it to steal personal information, disrupt operations, or hold data hostage for ransom. Among the mosUnspecified
2
The Dewmode Malware is associated with Clop. DEWMODE is a malicious web shell malware, written in PHP, designed to interact with MySQL databases and specifically target Accellion FTA devices. It operates by infiltrating the compromised network and exfiltrating data. During 2020-2021, threat actor group TA505 exploited several zero-day vulnerabUnspecified
2
The IcedID Malware is associated with Clop. IcedID is a malicious software (malware) that has been implicated in numerous cybercrime campaigns. It has been associated with other notable malware such as Qakbot, BazarLoader, CobaltStrike, Conti, Gozi, Trickbot, Quantum, Emotet, Pikabot, and SystemBC. Its distribution often involves the use of dUnspecified
2
The Meterpreter Malware is associated with Clop. Meterpreter is a type of malware that acts as an attack payload within the Metasploit framework, providing threat actors with an interactive shell to control and execute code on a compromised system. The malware is often deployed covertly through suspicious downloads, emails, or websites. Once instaUnspecified
2
The Ryuk Malware is associated with Clop. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware invesUnspecified
2
The Cactus Malware is associated with Clop. Cactus is a type of malware, specifically ransomware, known for its malicious activities including data theft and system disruption. This malware has been linked to several high-profile attacks, spreading primarily through malvertising campaigns that leverage the DanaBot Trojan. Notably, the Cactus Unspecified
2
The Royal Ransomware Malware is associated with Clop. Royal Ransomware is a form of malware that was active from September 2022 through June 2023. This malicious software, designed to exploit and damage computers or devices, would infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it could steaUnspecified
2
The Karakurt Malware is associated with Clop. Karakurt is a malicious software (malware) that has been linked to significant data extortion activities. The malware is affiliated with the notorious Conti cybercrime syndicate and ITG23, which are known for their disruptive operations, including data theft and ransom demands. In 2023, there was a Unspecified
2
The Sdbot Malware is associated with Clop. SDBot is a malicious software, or malware, that has been leveraged by threat actors known as TA505 and CL0P to exploit vulnerabilities in computer systems. It is used as a backdoor to enable the execution of commands and functions in the compromised computer, often without the user's knowledge. The Unspecified
2
The Tinymet Malware is associated with Clop. TinyMet is a type of malware, specifically a tiny, flexible Meterpreter stager, that can infiltrate systems and cause significant damage. It has been used by threat actors like GOLD TAHOE to retrieve the TinyMet Meterpreter stager in Clop ransomware incidents. This harmful program can infect your syUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Clop Gang Threat Actor is associated with Clop. The Clop Gang, a cyber threat actor known for its malicious activities, has posed significant challenges to cybersecurity in various sectors. The group is notorious for executing actions with harmful intent and has been particularly active in recent years. As part of their operations, they can rangeUnspecified
5
The Vice Society Threat Actor is associated with Clop. Vice Society, a threat actor or hacking team with malicious intent, has been active since 2022 and has made significant waves in the cybersecurity world. The group is known for deploying various forms of ransomware, including BlackCat, Quantum Locker, Zeppelin, and their own branded variant of ZeppeUnspecified
4
The FIN7 Threat Actor is associated with Clop. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global Unspecified
4
The Sangria Tempest Threat Actor is associated with Clop. Sangria Tempest, also known as Carbon Spider, Elbrus, and FIN7, is a threat actor that has been active since 2013. In mid-November 2023, Microsoft observed Sangria Tempest using Storm-1113's EugenLoader delivered through malicious MSIX package installations. The group frequently targets the restauraUnspecified
3
The DarkSide Threat Actor is associated with Clop. DarkSide is a threat actor known for its malicious activities, primarily in the realm of ransomware attacks. One of their most notable exploits occurred on May 7, 2021, when they targeted Colonial Pipeline Co., a major player in the U.S. energy sector. The attack disrupted the gasoline supply acrossUnspecified
3
The LockBitSupp Threat Actor is associated with Clop. LockBitSupp, a prominent threat actor, has been identified as Russian national Dmitry Yuryevich Khoroshev. The group's activities have been under scrutiny due to its involvement in ransomware attacks and other cybercrimes. Khoroshev, who was operating under the aliases "LockBit" and "LockBitSupp," iUnspecified
2
The Blackmatter Threat Actor is associated with Clop. BlackMatter, a threat actor in the cybersecurity realm, is known for its malicious activities and has been linked to several ransomware strains. The group emerged as a successor to the DarkSide ransomware, which was responsible for the high-profile attack on the Colonial Pipeline in May 2021. HoweveUnspecified
2
The Medusa Threat Actor is associated with Clop. Medusa, a threat actor group known for its malicious activities, has been increasingly involved in multiple high-profile cyber attacks. In November 2023, Medusa and other groups like LockBit and ALPHV (BlackCat) exploited a zero-day vulnerability, the Citrix Bleed (CVE-2023-4966), leading to numerouUnspecified
2
The BianLian Threat Actor is associated with Clop. BianLian is a threat actor that has been active in cybercrime, leveraging various techniques for malicious intent. Prior to January 2024, the group used an encryptor (encryptor.exe) that modified all encrypted files to have the .bianlian extension and created a ransom note in each affected directoryUnspecified
2
The Rhysida Threat Actor is associated with Clop. Rhysida is a globally active threat actor known for its ransomware operations, which have impacted a wide range of sectors, particularly the government and public sector. Their use of CleanUpLoader makes their operations highly effective and difficult to detect, as it not only facilitates persistencUnspecified
2
The RansomedVC Threat Actor is associated with Clop. RansomedVC, a new threat actor in the cybersecurity landscape, has emerged as a significant concern due to its unorthodox approaches and deceptive tactics. This group is suspected to be an enterprise of a single individual threat actor, who has previously been associated with other cybercrime operatUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-0669 Vulnerability is associated with Clop. CVE-2023-0669 is a serious software vulnerability that was identified in Fortra's GoAnywhere Managed File Transfer (MFT) secure file transfer tool. This flaw, which allowed for remote code execution, was exploited by the Clop ransomware group as a zero-day vulnerability. The group launched a major cUnspecified
9
The Moveit Transfer Vulnerability Vulnerability is associated with Clop. The MOVEit Transfer vulnerability, officially designated as CVE-2023-34362, is a flaw in software design or implementation that has been exploited by the Cl0p ransomware group. Despite initial concerns, there's no evidence that the Cl0p ransomware was deployed when this vulnerability was recently exUnspecified
6
The vulnerability CVE-2023-27351 is associated with Clop. Unspecified
3
The CVE-2023-27350 Vulnerability is associated with Clop. CVE-2023-27350 represents a significant software vulnerability in PaperCut MF/NG, identified as an improper access control flaw. This weakness allows attackers to bypass authentication processes, providing them with the ability to execute code with system privileges. The vulnerability was first updaUnspecified
3
The vulnerability CVE-2021-27104 is associated with Clop. Unspecified
2
The vulnerability CVE-2021-27102 is associated with Clop. Unspecified
2
The CVE-2023-35036 Vulnerability is associated with Clop. CVE-2023-35036 is a significant vulnerability identified in the MOVEit Transfer software, part of the Progress Software suite. This flaw was first reported on June 16, 2023, following the discovery and exploitation of CVE-2023-34362 by a Clop ransomware affiliate. The CVE-2023-35036 vulnerability prUnspecified
2
The CVE-2023-35708 Vulnerability is associated with Clop. CVE-2023-35708 is a critical software vulnerability, specifically an SQL injection flaw, that affected the MOVEit Transfer application. This issue was identified as a privilege escalation vulnerability, meaning it could potentially allow unauthorized users to gain elevated access rights within the sUnspecified
2
The vulnerability CVE-2021-27101 is associated with Clop. Unspecified
2
The CVE-2023-47246 Vulnerability is associated with Clop. CVE-2023-47246 is a critical zero-day vulnerability discovered in the SysAid IT support and management software solution. The flaw, identified as a path traversal vulnerability, has been exploited by Lace Tempest, a ransomware affiliate known for deploying Cl0p ransomware. This vulnerability allows has used
2
Source Document References
Information about the Clop Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
3 months ago
CISA
a month ago
Checkpoint
3 months ago
BankInfoSecurity
3 months ago
Recorded Future
3 months ago
BankInfoSecurity
3 months ago
BankInfoSecurity
3 months ago
Yori
3 months ago
DARKReading
3 months ago
Yori
3 months ago
BankInfoSecurity
4 months ago
BankInfoSecurity
4 months ago
InfoSecurity-magazine
4 months ago
BankInfoSecurity
4 months ago
BankInfoSecurity
4 months ago
Securityaffairs
4 months ago
InfoSecurity-magazine
5 months ago
Securityaffairs
5 months ago
CERT-EU
a year ago
BankInfoSecurity
9 months ago