Decoding the Clop Ransomware Empire: Formation, Tactics, and Global Menace
Clop is one of the rare ransomware brands that became more dangerous after it started encrypting less. In the last few years, the group has repeatedly shown that shutting down a victim’s network is optional. What matters is taking the data, proving it, and pricing the fear that comes with exposure. That shift has helped Clop scale campaigns in a way old school “encrypt everything” crews struggled to match.
That scale is not accidental. Clop has leaned hard into high impact entry points, especially managed file transfer platforms that sit at the intersection of partners, payroll providers, suppliers, and customers. When one of those systems falls, dozens or hundreds of downstream organizations can be pulled into the blast radius without Clop needing to compromise each one the slow way.
From ransomware crew to industrialized extortion
Clop, sometimes written as Cl0p, is commonly tracked as part of the TA505 ecosystem by multiple defenders and government sources. TA505 has been active for years and is associated with financially motivated intrusion tradecraft that ranges from phishing-led access to post exploitation toolchains built for speed and repeatability.
The group’s modern “signature” is not a particular encryptor binary. It is the combination of mass exploitation, quiet web shell deployment, aggressive data theft, and a leak operation engineered to amplify pressure. Once victims are named, the negotiation is less about restoring systems and more about controlling reputational and regulatory fallout.
Why Clop became synonymous with zero day supply chain hits
Many ransomware actors rely on stolen credentials, RDP exposure, or commodity phishing. Clop does those too, but it stands out for repeatedly selecting enterprise software that is both internet facing and trusted. File transfer platforms are a perfect example because they often handle sensitive data at rest, process it in bulk, and are expected to be reachable from the outside.
That choice explains why Clop campaigns often “spike” suddenly, then spread through industries that have nothing in common except a shared vendor. The story is less “targeted hacking” and more “find the chokepoint and monetize everyone around it.”
The playbook: access, web shell, exfiltration, leverage
In the most disruptive Clop campaigns, initial access came through exploited software rather than a user’s click. After exploitation, responders frequently observe server-side artifacts that exist to do one job: maintain silent access long enough to pull data out at scale.
In the Accellion FTA wave, investigators documented the use of a custom web shell known as DEWMODE, which supported data theft and extortion across many impacted customers of the legacy appliance.
In the MOVEit wave, multiple sources describe a distinct web shell, LEMURLOOT, deployed on internet facing MOVEit Transfer systems and used for large scale theft. It was not a “click to run” payload. It was planted server side and used like a siphon.
Once data is staged and exfiltrated, the extortion mechanics kick in. Victims are pushed toward Tor based negotiation channels and leak sites. Timers, proof packs, and selective sample releases are used to make the threat feel immediate and to frame the victim as the party responsible for what happens next.
Key campaigns that shaped Clop’s reputation
Accellion FTA (late 2020 to 2021): Threat actors exploited multiple Accellion FTA zero day vulnerabilities, planted DEWMODE, and stole data from a large set of organizations using the legacy appliance. This is one of the earliest clear examples of the group’s preference for exploiting trusted transfer infrastructure rather than fighting their way through endpoints one by one.
GoAnywhere MFT (early 2023): Clop operators were widely linked to exploitation of CVE-2023-0669, with reporting indicating rapid victim accumulation over a short window and a strong emphasis on theft and public naming.
MOVEit Transfer (May to June 2023): A defining moment. Mandiant and others observed exploitation of CVE-2023-34362 beginning in late May 2023, leading to web shell deployment and data theft at scale. This campaign put the “supply chain extortion” model in the mainstream, with downstream vendors and customers dragged into disclosure obligations.
Cleo file transfer (late 2024): Threat reporting tracked Clop activity to Cleo Harmony, VLTrader, and LexiCom, including discussion of high severity issues (including CVE-2024-50623 and CVE-2024-55956) associated with data theft operations.
Oracle E-Business Suite (2025 attribution): Threat reporting in 2025 associated Clop with exploitation activity against Oracle EBS, including CVE-2025-61882, underscoring that the group’s “enterprise edge” strategy extends beyond file transfer tooling when the payoff looks right.
Why Clop often skips encryption now
Encryption is noisy. It triggers rapid incident response, forces containment, and can shorten dwell time. Data theft, by comparison, can be slower, quieter, and more scalable, especially when your foothold is a server that already handles bulk transfers.
There is also a business logic to it. A victim that can restore from backups has leverage against classic ransomware. A victim whose sensitive files are already in an attacker’s hands has a different problem. Regulators, class actions, partner contracts, and public trust all become part of the extortion math, and Clop is unusually skilled at exploiting that pressure.
What defenders should focus on in 2026
If Clop has taught the industry anything, it is that perimeter “patch debt” in niche enterprise platforms creates systemic risk. These campaigns are often fast, sometimes measured in hours between first exploitation and significant theft. If you patch on a monthly rhythm but expose MFT or ERP systems to the internet, you are effectively betting your data on timing.
Teams that do better tend to combine three disciplines: aggressive external attack surface management, rapid emergency patch pipelines for internet facing services, and strong detection for web shell like behavior on application servers. EDR on endpoints helps, but Clop’s biggest wins have often started on servers where traditional workstation controls do not apply.
Indicators of Compromise
Use the following as investigation leads, not as a complete list. Infrastructure and tooling shift frequently, and many overlaps exist with other financially motivated actors. The items below are drawn from public advisories and threat reporting tied to major Clop campaigns.
- Known web shells associated with major campaigns: DEWMODE (Accellion FTA), LEMURLOOT (MOVEit Transfer).
- MOVEit web shell file naming reported in the field: LEMURLOOT was reported as an ASP.NET web shell, often installed as
human2.aspxto resemble a legitimate MOVEit component. - Clop leak site infrastructure (Tor onion addresses reported in threat reporting):
hxxp://santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad[.]onion/hxxp://toznnag5o3ambca56s2yacteu7q7x2avrfherzmz4nmujrjuib4iusad[.]onion/hxxp://ekbgzchl6x2ias37[.]onion/
- Exploited vulnerability patterns frequently associated with Clop campaigns: Accellion FTA CVE-2021-27101 through CVE-2021-27104, GoAnywhere CVE-2023-0669, MOVEit CVE-2023-34362, Cleo CVE-2024-50623 and CVE-2024-55956, Oracle EBS CVE-2025-61882.
- Post exploitation tooling often reported alongside Clop activity: Cobalt Strike, SDBot, FlawedAmmyy, plus server side web shells for stealthy exfiltration.
- Data theft signals on application servers: unusual outbound transfers, unexpected archiving activity, newly created web accessible files, or new ASPX files in web roots on internet facing transfer systems.
The uncomfortable takeaway
Clop’s evolution is a warning about where high margin cybercrime is headed. The group succeeds not because users click, but because critical business software is exposed, trusted, and hard to patch at speed. It also wins because it treats stolen data as the product, and disruption as optional.
In 2026, defending against Clop is less about hoping ransomware “does not run,” and more about preventing server side compromise in the first place. If your file transfer or enterprise apps touch regulated data, assume an attacker is already measuring your patch cadence and your external footprint.
Source credit: Research and public reporting synthesized from CISA’s #StopRansomware materials, Mandiant (Google Cloud), Fortinet FortiGuard Labs, Canada’s CCCS, Unit 42, and a Clop threat profile report by Blackpoint Cyber.
