#
CL0P
#
Adversary Overview
Active since at least 2019, CL0P is a sophisticated ransomware family that is associated with the TA505 cybercriminal group and possibly FIN11. CL0P employs phishing campaigns to gain initial access, often using macro-enabled documents to deploy malicious loaders. Like most other ransomware families, CL0P leverages “steal, encrypt, and leak” strategy - they identify and encrypt files, append various extensions (e.g., .clop) and leverage threats of data leaks on their Tor site, CL0P^_-LEAKS, to pressure victims into paying ransoms. Recent attacks have exploited vulnerabilities in software such as MOVEit Transfer and GoAnywhere MFT, leading to significant breaches and prompting U.S. authorities to offer rewards for information on the group's members. CL0P is utilized for financial gain and therefore, has a more randomized approach in its targeting and does not appear to target any particular region or sector. CL0P's adaptive tactics and extensive targeting capabilities make it one of the most formidable ransomware threats today.