TI News Feed · Threat Intelligence Guides

Cl0p / TA505: Threat Actor Profile

Cl0p turned zero-day exploitation into an industrial mass-extortion playbook — MOVEit alone yielded $100M+ — making it one of the most financially productive 'few clicks, many victims' crews of the era. A full profile.

Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.

Cl0p is less important as a mere ransomware family than as a playbook for industrialized zero-day data extortion. TA505, the broader criminal cluster long associated with Cl0p, is described by MITRE as a group that has driven global malware-distribution trends and ransomware campaigns involving Cl0p.

Cl0p: at a glance

  • Aliases: Clop, Cl0p; TA505 aliases include Hive0065, Spandex Tempest, CHIMBORAZO; overlaps with FIN11 and Lace Tempest
  • Country / affiliation: Russian-speaking cybercrime ecosystem
  • Assessed status (as of July 2026): Active
  • Primary objectives: Mass data theft, pure extortion, opportunistic ransomware, and zero-day exploitation
  • Financial destruction / gain: >$100 million from the MOVEit mass-extortion wave alone, per Chainalysis data reported by Wired
  • Type: ransomware + zero-day mass-extortion crew

Who is Cl0p?

Chainalysis data reported by Wired said the 2023 MOVEit wave alone generated more than $100 million, and Cl0p repeated the same downstream mass-extortion logic in late 2025 with Oracle E-Business Suite. That makes Cl0p one of the most financially productive 'few clicks, many victims' crews of the era.

Aliases and attribution

Cl0p operates within the Russian-speaking cybercrime ecosystem, overlapping with TA505, FIN11, and the Microsoft-tracked 'Lace Tempest' cluster — overlaps typical of the messy cyber attribution around monetization-focused threat actor groups. Its signature is exploiting a single supply-chain attack zero-day to breach hundreds of organizations at once.

Financial impact and damage

The 2023 MOVEit campaign is the benchmark: by exploiting one zero-day in the widely used MOVEit Transfer file-transfer tool, Cl0p breached thousands of organizations and, per Chainalysis, generated more than $100 million in extortion. Cl0p pioneered the shift from encryption to pure data-theft extortion and repeated the model against Oracle E-Business Suite in 2025, cementing its place in the era's ransomware statistics.

Cl0p timeline

  • 2019: Cl0p first observed
  • 2020-2022: Ransomware and extortion campaigns, including Accellion FTA zero-day abuse
  • 2023: MOVEit mass-extortion wave breaches thousands of organizations
  • 2025: Oracle E-Business Suite zero-day wave repeats the model

Notable attacks and campaigns

The MOVEit campaign (2023) affected government agencies, universities, and Fortune 500 firms downstream of a single file-transfer product. Cl0p typically skips encryption entirely, stealing data and threatening publication on its leak site. Its repeated targeting of managed file-transfer and ERP platforms shows a deliberate strategy of maximizing victims per exploit.

Tactics, techniques, and procedures (TTPs)

The techniques below are compact, high-confidence mappings to the MITRE ATT&CK framework, drawn from the group's MITRE ATT&CK profile and corroborating government and vendor reporting. The live ATT&CK matrix remains the authoritative reference for full coverage.

  • T1190 — Exploit Public-Facing Application: MOVEit (2023) and Oracle EBS (2025) exemplify Cl0p's mass-exploitation model. Prioritize edge-patch SLAs, compensating controls, and emergency virtual patching for file-transfer / ERP platforms.
  • T1562 — Disable or Modify Tools: Cl0p can disable or uninstall security products. Alert on AV uninstall, tamper-protection disablement, and security-service stoppage.
  • T1083 — File and Directory Discovery: Cl0p performs recursive folder discovery before collection. Hunt for unusual recursive enumeration on file servers and transfer appliances.

Detection and defense against Cl0p

Cl0p lives on unpatched internet-facing software, so edge-patch discipline is the single highest-leverage defense:

  • Prioritize aggressive patch SLAs and virtual patching for file-transfer and ERP platforms.
  • Apply compensating controls (WAF, access restrictions) around internet-facing managed-transfer software.
  • Alert on security-product uninstall and tamper-protection disablement.
  • Hunt for recursive file enumeration on file servers and transfer appliances.
  • Monitor outbound bulk data transfer — Cl0p steals data rather than encrypting it.

The bottom line

Cl0p reinvented ransomware economics by turning single zero-days into thousand-victim extortion waves — a model that keeps it among the most financially productive crews active in 2026. See how Cl0p ranks among the most dangerous threat actors, and track its latest activity on our live threat intelligence feed, aggregated from dozens of authoritative sources.

Frequently asked questions

What is Cl0p ransomware?

Cl0p (also written Clop) is a Russian-speaking cybercrime operation, part of the TA505 cluster, known for industrialized zero-day mass extortion rather than traditional encryption ransomware.

What was the MOVEit attack?

In 2023, Cl0p exploited a zero-day vulnerability in the MOVEit Transfer file-transfer tool to steal data from thousands of organizations at once, generating more than $100 million in extortion per Chainalysis.

How does Cl0p differ from other ransomware?

Cl0p increasingly skips file encryption entirely, focusing on stealing data via zero-day exploits in widely used software and threatening to publish it — a 'few clicks, many victims' extortion model.

Is Cl0p still active?

Yes. Cl0p remains active and repeated its mass-extortion playbook against Oracle E-Business Suite in 2025.

Primary sources & further reading

This guide is reviewed and fact-checked against authoritative primary sources: