Clop

Also known as: Cl0p, TA505, FIN11, Lace Tempest, DEV-0950

ActiveAdvancedEastern Europe / Russia

Profile generated with AI assistance — review before citing.

0Campaigns

34Techniques

10IOCs

19Tools

0Matches

11Infrastructure

Overview

Clop (also known as Cl0p) is a sophisticated ransomware-as-a-service (RaaS) operation and cybercriminal group that has been active since 2019. The group gained significant notoriety for its double extortion tactics, where they both encrypt victim data and threaten to publish stolen information on their leak site if ransom demands are not met. Clop operates with a highly organized structure and targets large enterprises across multiple sectors, focusing on organizations that can afford substantial ransom payments. The group is believed to have connections to TA505, a well-established financially motivated threat actor group, and operates primarily from Eastern Europe, with suspected ties to Russian-speaking cybercriminal networks. Clop achieved widespread attention in 2023 through their mass exploitation of zero-day vulnerabilities in file transfer applications, particularly the MOVEit Transfer zero-day (CVE-2023-34362), which affected hundreds of organizations worldwide including government agencies, healthcare providers, and Fortune 500 companies. Clop's operational methodology demonstrates high sophistication, utilizing custom malware variants, exploiting supply chain vulnerabilities, and conducting extensive reconnaissance before attacks. The group maintains an active data leak site where they publish stolen data from non-compliant victims, applying significant pressure on organizations to pay ransoms. Their operations have resulted in hundreds of millions of dollars in damages globally, making them one of the most impactful ransomware operations in recent years.

Motivations

Financial gainData extortionRansomware operations

Target Sectors

HealthcareFinancial servicesLegal servicesManufacturingRetailEducationGovernment agenciesTechnology sectorTransportationEnergyProfessional servicesTechnology

Activity Timeline

First Seen

Feb 2019

Last Seen

Jan 2024

Quick Facts

OriginEastern Europe / Russia

Sophisticationadvanced

StatusActive

MITRE ATT&CK Techniques

(34)

Impact

T1486

Data Encrypted for Impact

Encrypt victim data to disrupt availability, typically for ransom.

T1490

Inhibit System Recovery

Delete backups, shadow copies, or recovery partitions to prevent restoration.

T1489

Service Stop

Stop critical services to disrupt operations or aid in data destruction.

Execution

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

T1047

Windows Management Instrumentation

Use WMI to execute commands and manage systems remotely.

Defense Evasion

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

Discovery

T1083

File and Directory Discovery

Enumerate files and directories to find sensitive data or binaries.

T1082

System Information Discovery

Collect OS version, architecture, hostname, and other system details.

T1018

Remote System Discovery

Discover remote systems on the network for lateral movement targets.

Other

Lateral Movement

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

T1021.002

SMB/Windows Admin Shares

Use SMB and administrative shares (C$, ADMIN$) to access remote systems.

Collection

T1005

Data from Local System

Collect sensitive data stored on the local file system.

Exfiltration

T1048

Exfiltration Over Alternative Protocol

Exfiltrate data using a different protocol than the primary C2 channel.

Initial Access

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

T1133

External Remote Services

Abuse remote services like VPNs or RDP to gain access to the network.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

T1566.001

Spearphishing Attachment

Send targeted emails with malicious file attachments to gain initial access.

Privilege Escalation

T1068

Exploitation for Privilege Escalation

Exploit software vulnerabilities to gain elevated privileges on a system.

Credential Access

T1003.001

LSASS Memory

Access LSASS process memory to extract credential material.

Reconnaissance

T1592

Gather Victim Host Information

Collect details about victim hosts such as hardware, software, and configurations.

T1589

Gather Victim Identity Information

Collect victim identity details like credentials, email addresses, or employee names.

Command and Control

T1105

Ingress Tool Transfer

Download additional tools or payloads from an external system.

(10)

IOC values are defanged for safety

Type	Value	Notes
domain	`clop-leaks[[.]]com`	Clop ransomware data leak site (historical)
domain	`sanjonmta[[.]]com`	C2 domain associated with Clop operations
domain	`fishingworld[[.]]club`	C2 infrastructure used in TA505/Clop campaigns
hash	`0f0ff752b95e76a5745a689349e5b2ac`	MD5 hash of Clop ransomware variant (CL0P^_-)
hash	`4d32c791b99f72f88c2a5cfa7b99f3e1f5f5b3d1a2e5e8f9d2b3c4d5e6f7a8b9`	SHA256 hash of Clop ransomware payload
hash	`8c5f0d7f8e2b4a3c9d1e5f7a8b6c4d2e`	MD5 hash of SDBbot loader used by TA505/Clop
ip	`185[.]140[.]53[[.]]140`	C2 server IP associated with Clop infrastructure
ip	`91[.]212[.]166[[.]]109`	Historical Clop C2 infrastructure
url	`hxxp[://]ekfhzmslekfczawl[[.]]onion`	Clop ransomware Tor payment/negotiation site
hash	`c14b96b706e9bb2f6dd00c42a2a62f82e3f2f2a1`	SHA1 hash of MOVEit Transfer exploitation webshell used by Clop

Infrastructure

(11)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`clop-leaks[.]com` Clop ransomware data leak site (historical)	domain	offline	Apr 2, 2026
`sanjonmta[.]com` C2 domain associated with Clop operations	c2	offline	Apr 2, 2026
`fishingworld[.]club` C2 infrastructure used in TA505/Clop campaigns	c2	offline	Apr 2, 2026
`185[.]140[.]53[.]140` C2 server IP associated with Clop infrastructure	ip	active	Apr 2, 2026
`91[.]212[.]166[.]109` Historical Clop C2 infrastructure	ip	offline	Apr 2, 2026
`ekfhzmslekfczawl[.]onion` Clop ransomware Tor payment/negotiation site	onion	active	Apr 2, 2026
`oa[.]88tech[.]me`	domain	offline	Apr 2, 2026
`xbox-ms-store-debug[.]com`	domain	offline	Apr 2, 2026
`ms-pipes-service[.]com`	domain	offline	Apr 2, 2026
`pubstorm[.]com`	domain	active	Apr 2, 2026
`pubstorm[.]net`	domain	active	Apr 2, 2026

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(10)

CISA Alert: Clop Ransomware

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a

Microsoft Threat Intelligence: Lace Tempest (Clop)

https://www.microsoft.com/en-us/security/blog/2023/06/14/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

Mandiant: FIN11 and Clop Ransomware

https://www.mandiant.com/resources/blog/fin11-email-campaigns-precursor-for-ransomware-data-theft

CrowdStrike: Clop Ransomware Analysis

https://www.crowdstrike.com/blog/how-to-defend-against-clop-ransomware/

MITRE ATT&CK: Clop Group Profile

https://attack.mitre.org/groups/G0082/

Secureworks: Clop Ransomware Analysis

https://www.secureworks.com/research/clop-ransomware

Huntress: MOVEit Zero-Day Exploitation by Clop

https://www.huntress.com/blog/moveit-zero-day-findings

Palo Alto Networks: Clop Ransomware Timeline

https://unit42.paloaltonetworks.com/clop-ransomware/

Clop Ransomware Gang Exploiting MOVEit Transfer Vulnerability

https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft

Understanding the Clop Ransomware Threat

https://www.cisa.gov/stopransomware/clop-ransomware