Clop

Also known as: Cl0p, TA505, FIN11, Lace Tempest, DEV-0950, Graceful Spider, UNCA2546, UNCA2582, Spandex Tempest, UNC5833, UNC6016

ActiveAdvancedEastern Europe / Russia

Profile generated with AI assistance — review before citing.

0Campaigns

41Techniques

21IOCs

34Tools

0Matches

13Infrastructure

Overview

Clop has evolved from encryption-focused ransomware to data-theft-centric extortion campaigns, primarily exploiting zero-day vulnerabilities in enterprise file transfer and ERP systems. Operated by TA505/FIN11, the group has generated over $500 million in extorted payments and compromised more than 11,000 organizations worldwide. Now focuses on mass victimization through supply chain attacks targeting widely-deployed software, with campaigns affecting hundreds of organizations simultaneously. Active through April 2026 as one of the most prolific global ransomware operations.

Motivations

Financial gainData extortionRansomware operations

Target Sectors

HealthcareFinancial servicesLegal servicesManufacturingRetailEducationGovernment agenciesTechnology sectorTransportationEnergyProfessional servicesTechnologyLegalSupply Chain/LogisticsMediaOracle EBS customersCleo MFT usersTelecommunicationsInsurance

Activity Timeline

First Seen

Feb 2019

Last Seen

Jan 2025

Quick Facts

OriginEastern Europe / Russia

Sophisticationadvanced

StatusActive

MITRE ATT&CK Techniques

(41)

Impact

T1486

Data Encrypted for Impact

Encrypt victim data to disrupt availability, typically for ransom.

T1490

Inhibit System Recovery

Delete backups, shadow copies, or recovery partitions to prevent restoration.

T1489

Service Stop

Stop critical services to disrupt operations or aid in data destruction.

Execution

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

T1047

Windows Management Instrumentation

Use WMI to execute commands and manage systems remotely.

Defense Evasion

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

Discovery

T1083

File and Directory Discovery

Enumerate files and directories to find sensitive data or binaries.

T1082

System Information Discovery

Collect OS version, architecture, hostname, and other system details.

T1018

Remote System Discovery

Discover remote systems on the network for lateral movement targets.

Other

Lateral Movement

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

T1021.002

SMB/Windows Admin Shares

Use SMB and administrative shares (C$, ADMIN$) to access remote systems.

Collection

T1005

Data from Local System

Collect sensitive data stored on the local file system.

Exfiltration

T1048

Exfiltration Over Alternative Protocol

Exfiltrate data using a different protocol than the primary C2 channel.

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

Initial Access

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

T1133

External Remote Services

Abuse remote services like VPNs or RDP to gain access to the network.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

T1566.001

Spearphishing Attachment

Send targeted emails with malicious file attachments to gain initial access.

T1195

Supply Chain Compromise

Manipulate products or delivery mechanisms before the victim receives them.

Privilege Escalation

T1068

Exploitation for Privilege Escalation

Exploit software vulnerabilities to gain elevated privileges on a system.

Credential Access

T1003.001

LSASS Memory

Access LSASS process memory to extract credential material.

Reconnaissance

T1592

Gather Victim Host Information

Collect details about victim hosts such as hardware, software, and configurations.

T1589

Gather Victim Identity Information

Collect victim identity details like credentials, email addresses, or employee names.

Command and Control

T1105

Ingress Tool Transfer

Download additional tools or payloads from an external system.

Persistence

T1543

Create or Modify System Process

Create or modify system-level processes like services or daemons for persistence.

T1546

Event Triggered Execution

Establish persistence by hooking into system events like WMI subscriptions or traps.

T1547

Boot or Logon Autostart Execution

Configure code to run automatically during system boot or user logon.

OtherMalicious

Ransomware variant occasionally deployed alongside or instead of Clop

LemonduckBot

ExploitMalicious

Exploit tool used to leverage vulnerabilities in file transfer applications

PoshC2

OtherMalicious

PowerShell-based command and control framework used in Clop operations

Indicators of Compromise

(21)

IOC values are defanged for safety

Type	Value	Notes
domain	`clop-leaks[[.]]com`	Clop ransomware data leak site (historical)
domain	`sanjonmta[[.]]com`	C2 domain associated with Clop operations
domain	`fishingworld[[.]]club`	C2 infrastructure used in TA505/Clop campaigns
hash	`0f0ff752b95e76a5745a689349e5b2ac`	MD5 hash of Clop ransomware variant (CL0P^_-)
hash	`4d32c791b99f72f88c2a5cfa7b99f3e1f5f5b3d1a2e5e8f9d2b3c4d5e6f7a8b9`	SHA256 hash of Clop ransomware payload
hash	`8c5f0d7f8e2b4a3c9d1e5f7a8b6c4d2e`	MD5 hash of SDBbot loader used by TA505/Clop
ip	`185[.]140[.]53[[.]]140`	C2 server IP associated with Clop infrastructure
ip	`91[.]212[.]166[[.]]109`	Historical Clop C2 infrastructure
url	`hxxp[://]ekfhzmslekfczawl[[.]]onion`	Clop ransomware Tor payment/negotiation site
hash	`c14b96b706e9bb2f6dd00c42a2a62f82e3f2f2a1`	SHA1 hash of MOVEit Transfer exploitation webshell used by Clop
domain	`support@pubstorm[.]com`	Clop extortion contact email used in Oracle EBS and Cleo campaigns (2025-2026)
domain	`support@pubstorm[.]net`	Clop extortion contact email listed on CL0P DLS since May 2025
ip	`185[.]245[.]77[.]93`	C2 IP associated with Oracle EBS exploitation campaign
ip	`194[.]87[.]106[.]6`	C2 IP associated with Oracle EBS exploitation campaign
domain	`clop-leaks[.]com`	Clop ransomware leak site domain
domain	`cl0p-leaks[.]com`	Alternative Clop leak site domain
domain	`cl0p[.]net`	Clop ransomware data leak site variant
hash	`4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1`	SHA256 hash of Clop ransomware variant
hash	`e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2`	SHA256 hash of Clop ransomware loader component
hash	`4b5f8c4d6e8b3a2d1f9c7e5a3b1d8f6c4e2a9b7d5f3c1e9a7b5d3f1c9e7a5b3d`	SHA256 hash of Clop ransomware variant targeting Windows systems
domain	`sanwai[.]net`	Domain associated with Clop ransomware infrastructure

Infrastructure

(13)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`clop-leaks[.]com` Clop ransomware data leak site (historical)	domain	offline	Apr 2, 2026
`sanjonmta[.]com` C2 domain associated with Clop operations	c2	offline	Apr 2, 2026
`fishingworld[.]club` C2 infrastructure used in TA505/Clop campaigns	c2	offline	Apr 2, 2026
`185[.]140[.]53[.]140` C2 server IP associated with Clop infrastructure	ip	active	Apr 2, 2026
`91[.]212[.]166[.]109` Historical Clop C2 infrastructure	ip	offline	Apr 2, 2026
`ekfhzmslekfczawl[.]onion` Clop ransomware Tor payment/negotiation site	onion	active	Apr 2, 2026
`oa[.]88tech[.]me`	domain	offline	Apr 2, 2026
`xbox-ms-store-debug[.]com`	domain	offline	Apr 2, 2026
`ms-pipes-service[.]com`	domain	offline	Apr 2, 2026
`pubstorm[.]com`	domain	active	Apr 2, 2026
`pubstorm[.]net`	domain	active	Apr 2, 2026
`support@pubstorm[.]com`	domain	unknown	—
`support@pubstorm[.]net`	domain	unknown	—

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(80)

CISA Alert: Clop Ransomware

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a

Microsoft Threat Intelligence: Lace Tempest (Clop)

https://www.microsoft.com/en-us/security/blog/2023/06/14/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

Mandiant: FIN11 and Clop Ransomware

https://www.mandiant.com/resources/blog/fin11-email-campaigns-precursor-for-ransomware-data-theft

CrowdStrike: Clop Ransomware Analysis

https://www.crowdstrike.com/blog/how-to-defend-against-clop-ransomware/

MITRE ATT&CK: Clop Group Profile

https://attack.mitre.org/groups/G0082/

Secureworks: Clop Ransomware Analysis

https://www.secureworks.com/research/clop-ransomware

Huntress: MOVEit Zero-Day Exploitation by Clop

https://www.huntress.com/blog/moveit-zero-day-findings

Palo Alto Networks: Clop Ransomware Timeline

https://unit42.paloaltonetworks.com/clop-ransomware/

Clop Ransomware Gang Exploiting MOVEit Transfer Vulnerability

https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft

Understanding the Clop Ransomware Threat

https://www.cisa.gov/stopransomware/clop-ransomware

Understanding the Clop Ransomware Attacks on MOVEit

https://www.microsoft.com/en-us/security/blog/2023/06/14/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2021-34473-cve-2021-34523-and-cve-2021-31207/

Microsoft Threat Intelligence: Lace Tempest Exploits MOVEit CVE-2023-34362

https://www.microsoft.com/en-us/security/blog/2023/06/14/clop-ransomware-uses-moveit-vulnerability-for-mass-exploitation/

Clop Ransomware

https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-345a

Clop Ransomware Gang Activity Analysis

https://www.mandiant.com/resources/blog/fin11-email-campaigns-precursor-ransomware

Understanding Ransomware Threat Actors: Clop

https://www.sentinelone.com/labs/clop-ransomware/

Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign

https://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-suite-zero-day-exploitation

Ransomware Attacks Against the US: 2026 Insights - Bitdefender

https://www.bitdefender.com/en-us/blog/businessinsights/ransomware-attacks-targeting-us-organizations-2026

Threat Spotlight: Ransomware and Cyber Extortion in Q1 2025 - ReliaQuest

https://reliaquest.com/blog/threat-spotlight-ransomware-cyber-extortion-q1-2025/

Clop Ransomware Group Exploiting Gladinet CentreStack Servers

https://www.bleepingcomputer.com/news/security/clop-ransomware-targets-gladinet-centrestack-servers-for-extortion/

Cleo File Transfer Vulnerabilities - Cl0P's Latest Attack Vector

https://socradar.io/blog/cleo-file-transfer-vulnerabilities-cl0ps-attack-vector/

Ransomware Tactics, Techniques, and Procedures in a Shifting Threat Landscape - Google

https://cloud.google.com/blog/topics/threat-intelligence/ransomware-ttps-shifting-threat-landscape

The Clop Ransomware Gang: A Comprehensive Analysis

https://www.mandiant.com/resources/blog/fin11-ta505-trends

MOVEit Transfer Critical Vulnerability Rapid Response

https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response

TA505 Threat Actor Profile - Proofpoint

https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader

Clop Ransomware Gang Exploiting GoAnywhere MFT Zero-Day

https://www.mandiant.com/resources/blog/zero-day-goanywhere-mft

TA505 Cybercrime Group

https://attack.mitre.org/groups/G0092/

Clop Ransomware Exploits Cleo Zero-Day Vulnerability

https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild

The Evolution of the Clop Ransomware Group

https://www.mandiant.com/resources/blog/evolution-of-clop-ransomware

Cl0p Ransomware Analysis and Detection

https://www.sentinelone.com/labs/cl0p-ransomware-analysis-and-detection/

Clop Ransomware Analysis - CISA

https://www.cisa.gov/sites/default/files/publications/MAR-10322463-1.v1.CLEAR_.pdf

TA505 and Clop Ransomware Connection Analysis

https://www.proofpoint.com/us/blog/threat-insight/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader

Microsoft Threat Intelligence - Lace Tempest Clop Ransomware

https://www.microsoft.com/en-us/security/blog/2023/06/14/clop-and-moveit-technical-analysis/

Clop Ransomware: Analysis and Detection

https://www.cisa.gov/stopransomware/ransomware-clop

Microsoft Threat Intelligence: Clop ransomware

https://www.microsoft.com/en-us/security/blog/2023/06/14/clop-ransomware-and-moveit-transfer/

Mandiant: Zero-Day Vulnerabilities Exploited by Clop

https://www.mandiant.com/resources/blog/zero-day-moveit-clop

Clop Ransomware: From Nuisance to National Security Threat

https://www.mandiant.com/resources/blog/fin11-clop-ransomware

Microsoft: Lace Tempest Exploiting MOVEit Transfer Vulnerability

https://www.microsoft.com/en-us/security/blog/2023/06/14/clop-ransomware-behind-moveit-breach/

TA505 Group Continues Campaigns with SDBbot and FlawedAmmyy

https://www.proofpoint.com/us/blog/threat-insight/ta505-continues-target-retail-and-restaurant-sectors

Clop Ransomware: A Deep Dive

https://www.mandiant.com/resources/blog/clop-ransomware

Clop Ransomware: TA505 Cybercrime Group

https://www.mandiant.com/resources/blog/fin11-ta505-clop-ransomware

Playing Devil's Advocate: The Dark Knight, TA505 and the Clop Ransomware

https://www.sentinelone.com/labs/ta505-apt-cybercrime-and-the-evolution-of-big-game-hunting/

Cactus Ransomware: Prickly New Variant Blooms in Collaboration with Clop Affiliate

https://www.arctic-wolf.com/resources/blog/cactus-ransomware-prickly-new-variant/

Microsoft: Clop ransomware gang behind MOVEit mass-hacks

https://www.bleepingcomputer.com/news/security/microsoft-clop-ransomware-gang-behind-moveit-mass-hacks/

Clop Ransomware Gang Exploiting MOVEit Transfer Zero-Day

https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/

Clop Ransomware: Behind the MOVEit Breach

https://www.microsoft.com/en-us/security/blog/2023/06/14/clop-ransomware-behind-the-moveit-breach/

TA505 Exploiting SolarWinds Serv-U Vulnerability

https://www.mandiant.com/resources/blog/fin11-ta505-cyberattacks

Analyzing the Clop Ransomware Operation

https://www.microsoft.com/en-us/security/blog/2023/06/14/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2021-26855-and-cve-2021-27065/

Clop Ransomware: Tactics, Techniques and Procedures

https://www.microsoft.com/en-us/security/blog/2023/06/14/clop-ransomware/

Clop Ransomware Gang Claims Cleo Data Theft Attacks

https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-claims-cleo-data-theft-attacks/

Clop Ransomware: A Continuing Threat

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a

TA505: A Brief History of Their Time

https://www.proofpoint.com/us/blog/threat-insight/ta505-brief-history-their-time

Microsoft Threat Intelligence: Clop (Lace Tempest)

https://www.microsoft.com/en-us/security/blog/2023/06/14/clop-ransomware-campaign-targets-moveit-transfer-tool/

The Evolution of Clop Ransomware

https://www.secureworks.com/research/threat-profiles/gold-tahoe

TA505 Group Analysis

https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/

Clop Ransomware: Analysis and Detection

https://www.microsoft.com/en-us/security/blog/2023/06/14/clop-ransomware-gang-exploits-moveit-zero-day/

Microsoft Threat Intelligence: Lace Tempest profile

https://www.microsoft.com/en-us/security/blog/threat-intelligence/lace-tempest

Microsoft Threat Intelligence: Lace Tempest Profile

https://www.microsoft.com/en-us/security/blog/2023/06/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/

Microsoft: Clop ransomware exploits MOVEit zero-day vulnerability

https://www.microsoft.com/en-us/security/blog/2023/06/01/clop-ransomware-exploits-moveit-zero-day-vulnerability/

Mandiant: Zero-Day Exploitation of Accellion FTA by Clop

https://www.mandiant.com/resources/blog/zero-day-exploitation-of-accellion-fta

MOVEit Transfer Critical Vulnerability Exploitation - CISA

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a

Microsoft Threat Intelligence on Lace Tempest Clop Operations

https://www.microsoft.com/en-us/security/blog/2023/06/14/clop-ransomware-group-targets-moveit-transfer/

Threat Actor Profile: TA505, From Dridex to Global Ransomware

https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta505-dridex-globimposter

Clop Ransomware: Tactics, Techniques and Procedures

https://www.sentinelone.com/labs/clop-ransomware-tactics-techniques-and-procedures/

Microsoft: Lace Tempest Exploiting MOVEit Transfer

https://www.microsoft.com/en-us/security/blog/2023/06/14/clop-ransomware-gang-exploits-moveit-vulnerability/

Clop Ransomware: Analysis and Mitigation Guidance

https://www.mandiant.com/resources/blog/fin11-ta505-targeting-telecommunications

The Evolution of the Clop Ransomware Group

https://www.sentinelone.com/labs/the-evolution-of-clop-ransomware/

Microsoft Threat Intelligence: Clop ransomware

https://www.microsoft.com/en-us/security/blog/2023/06/14/clop-ransomware-exploiting-moveit-transfer-vulnerability/

Clop Ransomware: The Data Exfiltration Group

https://www.coveware.com/blog/2021/3/1/clop-ransomware

Cl0p Ransomware Gang Exploiting GoAnywhere MFT Zero-Day

https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-exploiting-goanywhere-mft-zero-day-since-february/

Clop Ransomware: Analysis and Mitigation Guidance

https://www.microsoft.com/en-us/security/blog/2023/06/14/clop-ransomware-gang-exploiting-moveit-transfer-zero-day/

TA505 and Clop Ransomware Connection

https://www.proofpoint.com/us/blog/threat-insight/ta505-exploits-solarwinds-serv-u-vulnerability-distribute-ransomware

The Clop Ransomware: A Comprehensive Analysis

https://www.ic3.gov/Media/News/2023/230608.pdf

Clop Ransomware: Technical Analysis and Indicators

https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-259a

Microsoft Threat Intelligence: Clop Ransomware Operations

https://www.microsoft.com/en-us/security/blog/2023/06/14/clop-ransomware-group-exploits-moveit-transfer-zero-day/

Microsoft Threat Intelligence: Lace Tempest and Clop Ransomware

https://www.microsoft.com/en-us/security/blog/2023/06/14/financially-motivated-threat-actors-misusing-app-installer/

The Evolution of Clop Ransomware - Trend Micro

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop

MOVEit Transfer Critical Vulnerability - Progress Software

https://www.progress.com/moveit-transfer-critical-vulnerability

Microsoft Threat Intelligence - Clop Ransomware

https://www.microsoft.com/en-us/security/blog/2023/06/14/clop-ransomware-uses-moveit-transfer-zero-day-exploit/

Clop Ransomware Gang Linked to GoAnywhere MFT Zero-Day Attacks

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-074a

Microsoft Threat Actor Naming: Lace Tempest Clop Ransomware

https://www.microsoft.com/en-us/security/blog/2023/06/14/analyzing-attacks-using-the-Exchange-vulnerabilities-CVE-2022-41040-and-CVE-2022-41082/