{ "id": "403ef02f-bf70-4bec-aad7-edd5854ccc19", "created_at": "2026-04-06T00:10:36.593389Z", "updated_at": "2026-04-10T03:36:37.062021Z", "deleted_at": null, "sha1_hash": "04e93f56c477c3c5e082072af0141e3050ccade7", "title": "Ransomware Roundup - Cl0p | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1448624, "plain_text": "Ransomware Roundup - Cl0p | FortiGuard Labs\r\nBy Shunichi Imano, James Slaughter\r\nPublished: 2023-07-21 · Archived: 2026-04-05 23:47:40 UTC\r\nOn a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining\r\ntraction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers\r\nwith brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those\r\nvariants.\r\nThis edition of the Ransomware Roundup covers the Cl0p ransomware.\r\nAffected platforms: Microsoft Windows, Linux\r\nImpacted parties: Microsoft Windows, Linux Users\r\nImpact: Encrypts and exfiltrates victims’ files and demands ransom for file decryption and not to leak stolen files\r\nSeverity level: High\r\nRecently, the Cl0p ransomware group received a lot of media attention for compromising a large number of\r\norganizations by exploiting a recently-unpatched vulnerability in MOVEit Transfer (CVE-2023-34362), a\r\nmanaged file transfer (MFT) solution. Although there is no evidence that the threat actor used the encryptor in this\r\nparticular incident, the group exfiltrated data from victims and threatened them with ransom in exchange for not\r\nexposing the stolen information.\r\nThis blog provides insights into the Cl0p ransomware group’s activities over the past several years.\r\nNote that FortiGuard Labs released an Outbreak Alert for the MOVEit Transfer incident. Please refer to “Progress\r\nMOVEit Transfer SQL Injection Vulnerability” for additional information.\r\nWhat is Cl0p?\r\nThe history of Cl0p ransomware goes back to early 2019 and is typically associated with financially motivated\r\nthreat actor FIN11 (also known as TA505 and Snakefly), who is known to target organizations in North America\r\nand Europe. The Cl0p ransomware appears to be a descendent (or variant) of another ransomware, “CryptoMix”,\r\nwhich also has an association with FIN11. And CryptoMix is reportedly a hybrid of the ransomware variants\r\n“CryptXXX” and “CryptoWall”. However, that claim has not yet been independently verified by FortiGuard Labs.\r\nTypically, FIN11 unleashes Cl0p ransomware on a victim’s network to encrypt files after stealing information.\r\nHowever, the ransom note dropped by an older Cl0p ransomware variant, shown below, shows no evidence of\r\nFIN11 having exploited victim data, at least during the early period of Cl0p ransomware activity. It is estimated\r\nthat they only began exfiltrating victim information around the time the leak site described later in this report was\r\nset up.\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-cl0p\r\nPage 1 of 11\n\nFigure 1: Files encrypted by an earlier version of the Cl0p ransomware\r\nFigure 2: Ransomware note dropped by an earlier version of the Cl0p ransomware\r\nAt some stage in its operations, the FIN11 group revised its strategy of deploying ransomware and shifted to\r\npurely exfiltrating information from victims for extortion. In fact, there is no evidence that the Cl0p ransomware\r\nwas deployed when the MOVEit Transfer vulnerability was recently exploited.\r\nDeployed Cl0p ransomware variants append a new file extension to the files it encrypts. Typical file extensions\r\ninclude, but are not limited to, “.Clop”, “.Cl0p”, “.C_L_O_P”, “.C_I_0P” and “.Cllp”. Cl0p ransomware ransom\r\nnotes are labeled “ClopReadMe.txt”, “README_README.txt” and “!!!_READ_!!!.RTF”.\r\nThe Cl0p threat actor is also associated with the use of the Cobalt Strike post-exploitation tool, web shells such as\r\nDEWMODE and LEMURLOOT,  SDBot, and the FlawedAmmyy remote access trojan (RAT). FIN11 is also\r\nknown to use spear-phishing to target victims.\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-cl0p\r\nPage 2 of 11\n\nFIN11 recently leveraged the MOVEit Transfer SQL injection vulnerability (CVE-2023-34362) to gain initial\r\nentry to victim networks. This was not the first time the group has exploited vulnerabilities. According to a report\r\npublished by the Health Sector Cybersecurity Coordination Center (HC3), the following vulnerabilities have been\r\npotentially exploited by this group:\r\nPaperCut MF/NG improper access control vulnerability (CVE-2023-27350, CVE-2023-27351)\r\nAccellion File Transfer Appliance vulnerabilities (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103,\r\nCVE-2021-27104)\r\nWindows Netlogon elevation of privilege vulnerability (aka. ZeroLogon) (CVE-2020-1472)\r\nFortra GoAnywhere Managed File Transfer (MFT) Remote Code Execution (RCE) vulnerability (CVE-2023-0669)\r\nSolarWinds Serv-U remote memory escape vulnerability (CVE-2021-35211)\r\nF5.BIG-IP iControl REST authentication bypass vulnerability (CVE-2022-1388)\r\nApache Log4J Remote Code Execution (RCE) vulnerability (CVE-2021-44228)\r\nWhile earlier Cl0p ransomware variants only include an attacker’s contact email addresses, the ransom group\r\nsubsequently set up a data leak site on TOR in 2020 called “CL0P^_-LEAKS” to post information stolen from\r\nvictims.\r\nFigure 3: Duration of activity of the data leak site listed on the Cl0p ransomware TOR site.\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-cl0p\r\nPage 3 of 11\n\nFigure 4: Main page of the Cl0p ransomware TOR site\r\nOn the TOR site, the ransomware group also states that its primary motivation is financial gain and that it is not\r\npolitically motivated in its choice of victims.\r\nFigure 5: Financial statement made by the Cl0p threat actor\r\nThe group also claims that it intends to attack commercial pharmaceutical companies, but not hospitals and social\r\ninstitutions.\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-cl0p\r\nPage 4 of 11\n\nFigure 6: Cl0p’s statement on TOR for not attacking certain industry sectors\r\nFigure 7: Message to the Cl0p victims in regards with MOVEit Transfer vulnerability (CVE-2023-34362)\r\nPrevalence\r\nAs of July 15th, 2023, Fortinet's FortiRecon service listed 419 victim organizations on the Cl0p ransomware data\r\nleak site.\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-cl0p\r\nPage 5 of 11\n\nFigure 8: The number of ransomware victims on the Cl0p data leak site per FortiRecon\r\nAccording to data collected through Fortinet's FortiRecon service, the Cl0p ransomware group preyed on several\r\nindustry sectors between January and June 2023, with business services leading the way, followed by software and\r\nfinance. When victim organizations are classified by country, the United States is in first place by a significant\r\nmargin. By region, nearly three-quarters of victims are located in North America and Europe.\r\nFigure 9: Top industry sectors and Cl0p ransomware victims locations in the first half of 2023 per FortiRecon\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-cl0p\r\nPage 6 of 11\n\nThe FortiRecon data below indicates that the Cl0p ransomware has been more active in 2023 than 2022 and 2021.\r\nThe inactivity of the ransomware group from May to July 2021 could be attributed to the arrest of some Cl0p\r\nransomware operators in June 2021, though we cannot verify this.\r\nFigure 10: The number of Cl0p ransomware victims in 2021, 2022 and 2023 per FortiRecon\r\nLooking closely at the prevalence of Cl0p ransomware in the United States during the first half of 2023, Cl0p\r\nranked third behind LockBit and Blackcat (ALPHV) ransomware.\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-cl0p\r\nPage 7 of 11\n\nFigure 11: Cl0p ransomware ranking in the United States in the first half of 2023 per FortiRecon\r\nConclusion\r\nThe Cl0p ransomware has been around since early 2019, and its developers are still one of the most active\r\nransomware threat actors today. While they seem to have largely shifted from \"exfiltrating and encrypting data and\r\nextorting money\" to simply \"exfiltrating data and extorting money,\" affected organizations are just as impacted as\r\nbefore. As the group is known to exploit high-severity vulnerabilities, including the recently disclosed MOVEit\r\nTransfer vulnerability, patch management is critical to preventing attacks by the group.\r\nIOCs\r\nNote that a large number of Cl0p ransomware samples exist due to the high prevalence of the ransomware over\r\nthe past several years. Because of this, this section only contains a small number of samples from the ransomware\r\nfamily.\r\nSHA2 Note\r\n3320f11728458d01eef62e10e48897ec1c2277c1fe1aa2d471a16b4dccfc1207 Cl0p ransomware\r\nd0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9 Cl0p ransomware\r\nd36766cbc149d7f79654d2810ffe2fd3b1a6487fe3aff6ff010e664b60493cf0 Cl0p ransomware\r\n1687eda911c5129f3189d7e1ad31430856d7732fe870eb49971298367b98189c Cl0p ransomware\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-cl0p\r\nPage 8 of 11\n\nf1b8c7b2d20040f1dd9728de9808925fdcf035a1a289d42f63e5faa967f50664 Cl0p ransomware\r\n343cb2d5900f5fe4abd5442a4a18541753fbb6ca5ff4ee7f2c312ed96e413335 Cl0p ransomware\r\n968307a367471e25bef58b0d4687ab4fdf34539bbfb603b5b19ae99d4d0c0340 Cl0p ransomware\r\n09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef Cl0p ransomware for Linux\r\nProtection\r\nFortiGuard Labs has the following AV signatures in place for the Cl0p ransomware samples listed in the IOC\r\nsection:\r\nW32/Filecoder_cl0p.A!tr.ransom\r\nW32/Filecoder.7742!tr.ransom\r\nW32/HydraCrypt.S!tr.ransom\r\nW32/HydraCrypt.P!tr.ransom\r\nW32/Encoder.Q!tr.ransom\r\nELF/Filecoder_cl0p.A!tr.ransom\r\nMalicious_Behavior.SB\r\nAdditionally, the following AV signatures are available for Cl0p ransomware samples:\r\nW32/Ransom_Win32_CLOP.SMK\r\nW32/Ransom_Win32_CLOP.SME\r\nW32/Ransom_Win32_CLOP.SM\r\nW32/Ransom_Win32_CLOP.RK!tr\r\nW32/Ransom_Win32_CLOP.NW\r\nW32/Ransom_Win32_CLOP.AA\r\nW32/Ransom_Clop.PW!tr\r\nW32/Ransom.CLOP!tr\r\nW32/Filecoder_cl0p!tr.ransom\r\nW32/Clop.GWKF!tr.ransom\r\nW32/Clop.407E!tr.ransom\r\nW32/Clop.2D9D!tr.ransom\r\nW32/Clop.2794!tr.ransom\r\nLinux/Filecoder_Cl0p.A!tr\r\nFortiGuard Labs has put the following IPS signatures in place for the vulnerabilities reportedly exploited by the\r\nCl0p ransomware threat actor:\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-cl0p\r\nPage 9 of 11\n\nProgress.MOVEit.Transfer.Unrestricted.File.Upload (CVE-2023-34362)\r\nPaperCut.NG.SetupCompleted.Authentication.Bypass (CVE-2023-27350 and CVE-2023-27351)\r\nFortra.GoAnywhere.MFT.LicenseResponseServlet.Command.Injection (CVE-2023-0669)\r\nAccellion.FTA.Remote.OS.command.Execution (CVE-2021-27102)\r\nMS.Windows.Server.Netlogon.Elevation.of.Privilege (CVE-2020-1472)\r\nSolarWinds.Serv-U.FTP.Unauthorized.User.Creation (CVE-2021-35211)\r\nF5.BIG-IP.iControl.REST.Authentication.Bypass (CVE-2022-1388)\r\nApache.Log4j.Error.Log.Remote.Code.Execution (CVE-2021-44228)\r\nFortiGuard Labs Guidance\r\nDue to the ease of disruption, damage to daily operations, potential impact to an organization’s reputation, and the\r\nunwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS\r\nsignatures up to date.\r\nSince the majority of ransomware is generally delivered via phishing, organizations should consider leveraging\r\nFortinet solutions designed to train users to understand and detect phishing threats:\r\nThe FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness\r\nand vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted\r\nphishing attacks.\r\nFortinet’s FREE NSE training: NSE 1 – Information Security Awareness includes a module on internet threats\r\ndesigned to help end users learn how to identify and protect themselves from various types of phishing attacks and\r\ncan be easily added to internal training programs.\r\nOrganizations also need to make foundational changes to the frequency, location, and security of their data\r\nbackups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with\r\ndigital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks\r\ncan come from anywhere. Organizations are encouraged to implement cloud-based security solutions, such\r\nas SASE, to protect off-network devices, advanced endpoint security, such as EDR (endpoint detection and\r\nresponse) solutions that can disrupt malware mid-attack, and Zero Trust Access and network segmentation\r\nstrategies that restrict access to applications and resources based on policy and context. These solutions are proven\r\nto minimize risk and reduce the impact of a successful ransomware attack.\r\nBy operating these solutions as part of the industry's only fully integrated Security Fabric, organizations can also\r\ntake advantage of native synergy and automation across your security ecosystem, Fortinet also provides an\r\nextensive portfolio of technology and human-based as-a-service offerings that can be deployed independently or\r\nas part of the Fortinet Security Fabric. These services are powered by advanced AI-enabled technologies and our\r\nglobal FortiGuard team of seasoned cybersecurity experts.\r\nBest Practices Include Not Paying a Ransom\r\nOrganizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom\r\npartly because payment does not guarantee that files will be recovered. According to a U.S. Department of\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-cl0p\r\nPage 10 of 11\n\nTreasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to\r\ntarget additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit\r\nactivities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a\r\nRansomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes\r\nComplaint Center (IC3).\r\nHow Fortinet Can Help\r\nFortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is\r\ndetected. And our Incident Readiness Subscription Service provides tools and guidance to help you better prepare\r\nfor a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop\r\nexercises).\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nAI-powered security services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/ransomware-roundup-cl0p\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-cl0p\r\nPage 11 of 11\n\nfinance. When margin. By region, victim organizations nearly three-quarters are classified of victims by country, the are located in United States is North America in first place by and Europe. a significant\nFigure 9: Top industry sectors and Cl0p ransomware victims locations in the first half of 2023 per FortiRecon\n Page 6 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.fortinet.com/blog/threat-research/ransomware-roundup-cl0p" ], "report_names": [ "ransomware-roundup-cl0p" ], "threat_actors": [ { "id": "6728f306-6259-4e7d-a4ea-59586d90a47d", "created_at": "2023-01-06T13:46:39.175292Z", "updated_at": "2026-04-10T02:00:03.236282Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "TEMP.Warlock", "UNC902" ], "source_name": "MISPGALAXY:FIN11", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434236, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/04e93f56c477c3c5e082072af0141e3050ccade7.pdf", "text": "https://archive.orkl.eu/04e93f56c477c3c5e082072af0141e3050ccade7.txt", "img": "https://archive.orkl.eu/04e93f56c477c3c5e082072af0141e3050ccade7.jpg" } }