Most ransomware groups go after one organisation at a time. Cl0p, also written as Clop, with a stylised zero, built a different model. By acquiring or developing zero-day vulnerabilities in widely deployed file-transfer software, the group could compromise hundreds of organisations in a single weekend, exfiltrate their data, and skip the encryption stage entirely. Cl0p’s three big campaigns, Accellion (2020–2021), GoAnywhere MFT (2023), and MOVEit Transfer (2023), collectively produced thousands of victims across every major economy and forced an industry-wide rethink of how data-transfer software is procured and audited.
Origins
Cl0p first appeared in early 2019 as a variant of the CryptoMix family. The group is associated with the Russian-speaking threat actor cluster tracked as TA505 (also FIN11), one of the longer-running organised cybercrime crews. Early Cl0p operations followed the standard double-extortion playbook: phishing-led intrusions, lateral movement, data theft, encryption, leak-site listing. The locker itself was technically capable but unremarkable. The brand might have remained a mid-tier operator if the operation had not pivoted, around 2020, to mass-exploitation campaigns against managed file-transfer platforms.
The Accellion campaign (2020–2021)
In late 2020, Cl0p began exploiting a chain of vulnerabilities in Accellion’s File Transfer Appliance (FTA), an end-of-life enterprise file-transfer product still in use at hundreds of organisations. The compromises produced a long list of victims: Kroger, Shell, Qualys, the University of California system, the Reserve Bank of New Zealand, the Australian Securities and Investments Commission, and many others. Stolen data was published on the Cl0p leak site over the course of months. It was the operation’s first proof-of-concept that one zero-day in a widely deployed appliance could yield more victims than a year of conventional intrusions.
The Ukrainian arrests of 2021
In June 2021 Ukrainian and South Korean police arrested six individuals in Kyiv accused of laundering money for Cl0p, seizing computers, cars, and roughly $185,000 in cash. The Ukrainian National Police described the operation as a "transnational criminal group." Crucially, the arrests appear to have hit the laundering and cash-out arm rather than the core operators, Cl0p’s leak site went briefly quiet and then resumed activity within weeks. It was an early demonstration that arresting peripheral members of a Russian-protected operation does not stop it.
The GoAnywhere MFT campaign (early 2023)
In late January 2023, Fortra disclosed a remote code execution vulnerability in GoAnywhere MFT (CVE-2023-0669). Cl0p had already been exploiting it. Within weeks the group claimed to have stolen data from more than 130 organisations including Procter & Gamble, the City of Toronto, Hatch Bank, Saks Fifth Avenue, Hitachi Energy, Rubrik, and US healthcare provider Community Health Systems. There was little encryption, the operation was almost entirely data theft and extortion.
The MOVEit Transfer campaign (mid-2023)
The MOVEit campaign was Cl0p’s masterpiece, and one of the most consequential supply-chain incidents in the history of the internet. In late May 2023, Progress Software disclosed a critical SQL-injection vulnerability in MOVEit Transfer (CVE-2023-34362). Cl0p had been quietly exploiting it for at least a month, deploying a custom web shell ("LEMURLOOT") to exfiltrate data from MOVEit deployments at a remarkable scale.
By the time the dust settled, the breach affected an estimated 2,700+ organisations and 90+ million individuals. Victims included British Airways, the BBC, Boots, the US Department of Energy, several US state governments, Shell, EY, PwC, the Oregon Department of Transportation, the New York City Department of Education, Maximus (a US federal contractor handling sensitive data on tens of millions of Americans), and on, and on.
Cl0p’s negotiation strategy was unusual. The group declined to demand specific ransoms. Instead, it published a notice on its leak site directing victims to contact them by a stated deadline; victims who did not engage would be listed and their data leaked progressively. The volume of victims was so large that the operators struggled to even host the stolen data, eventually mirroring it across multiple Tor sites and even, in a strange experiment, torrent files.
The financial impact is hard to estimate precisely. Industry analysts have placed Cl0p’s MOVEit revenue between $75 million and $100 million in extortion payments, with overall victim recovery and notification costs likely exceeding $10 billion across the affected organisations.
TTPs and tradecraft
Cl0p’s signature is patient, technically sophisticated zero-day acquisition or development against managed file-transfer products. The group invests in custom tooling, LEMURLOOT for MOVEit, the bespoke DEWMODE web shell for Accellion, and operates with discipline. Where other operators throw together opportunistic campaigns, Cl0p plans for months and executes in a single, devastating window.
The group has also experimented with pure-extortion models, releasing little or no encryption against many victims and threatening only data publication. For organisations whose primary regulatory exposure is around personal data, that has proven sufficient leverage.
Sanctions and ongoing activity
In June 2023 the US Treasury sanctioned individuals associated with TA505/Cl0p infrastructure. Several indictments have been unsealed against alleged members. The group has not been visibly disrupted; it continues to run periodic campaigns, including the late-2024 exploitation of vulnerabilities in Cleo file-transfer products, which produced another wave of high-profile victims.
What Cl0p taught the industry
Cl0p’s contribution to the threat landscape is the demonstration that the most efficient form of mass extortion is a zero-day in a piece of software with a large, vulnerable, hard-to-patch installed base. The group has reframed how defenders think about file-transfer software, third-party risk, and the asset inventory question, "what software do we have on the perimeter that we are not patching fast enough?", and has made an entire category of enterprise products substantially less popular.
If LockBit defined the industrial RaaS, Cl0p defined the industrial zero-day extortion campaign. Both models are still in use, and Cl0p, unlike LockBit, has not yet had its Operation Cronos moment.