Clop (sometimes stylized Cl0p) is a ransomware-as-a-service operation that emerged in 2019 as a variant of the CryptoMix family. The group is widely assessed by Western cybersecurity firms and government agencies to be linked to the Russian-speaking threat cluster tracked as TA505 or FIN11. Clop is notable for pioneering the "double extortion" model at scale: encrypting victim systems while also exfiltrating data and threatening to publish it on a dedicated leak site.
Rather than relying solely on phishing, Clop has repeatedly weaponized zero-day vulnerabilities in widely used managed file-transfer (MFT) products. Major campaigns include:
- The Accellion FTA breaches of late 2020 and early 2021, affecting universities, law firms, and the Reserve Bank of New Zealand.
- The Fortra GoAnywhere MFT exploitation in early 2023 (CVE-2023-0669).
- The MOVEit Transfer campaign in mid-2023 (CVE-2023-34362), which the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and FBI publicly attributed to Clop. The MOVEit campaign affected hundreds of organizations, including U.S. federal agencies, state governments, the BBC, British Airways, and Shell.
Clop's tactics have shifted from traditional encryption-for-ransom toward pure data-theft extortion, where victims are pressured to pay to prevent publication on the group's Tor-based leak portal. The U.S. State Department's Rewards for Justice program has offered bounties for information on ransomware actors linked to foreign governments, and U.S., U.K., and Ukrainian authorities have conducted arrests of suspected affiliates, including a June 2021 operation by Ukrainian police that detained six individuals linked to Clop money-laundering infrastructure.
For policy researchers, Clop illustrates the durability of ransomware ecosystems despite law-enforcement disruption, the strategic risk posed by software supply-chain dependencies, and the limits of sanctions in deterring cybercriminals operating from non-cooperative jurisdictions.
Example
In June 2023, CISA and the FBI issued a joint advisory attributing the mass MOVEit Transfer breach—affecting victims from the U.S. Department of Energy to British Airways—to the Clop ransomware group.
Frequently asked questions
There is no public evidence of direct state control, but Western agencies assess Clop operators are Russian-speaking and operate from jurisdictions that do not extradite cybercriminals to the West.
Keep learning