{ "id": "5e447c7e-bb8f-45c6-a1bc-8f7aa105d032", "created_at": "2026-04-06T00:11:59.089333Z", "updated_at": "2026-04-10T13:11:34.562707Z", "deleted_at": null, "sha1_hash": "12661ba2e6b53d2faee4480986f4735b73747fce", "title": "Clop Ransomware: History, Timeline, And Adversary Simulation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 370904, "plain_text": "Clop Ransomware: History, Timeline, And Adversary Simulation\r\nArchived: 2026-04-05 13:33:06 UTC\r\nWhat is Clop Ransomware\r\nThe infamous Clop ransomware, mainly known as Cl0p, targets various industries and organizations, extorting\r\ndata for a considerable ransom. It advances actively with new emerging campaigns. The Clop ransomware is\r\nassociated with the Russian threat group TA505, which primarily operates as a (RaaS) ransomware-as-a-service.\r\nIt is also seen that the threat group has been using various zero-day exploits for its campaigns, which include the\r\nlatest Moveit Transfer exploitation. The ransomware is primarily Cryptomix ransomware, making its first\r\nappearance in 2019.\r\nHistory\r\nClop ransomware mainly targets victims through spear-phishing campaigns, primarily focusing on the banking,\r\nhealthcare, and finance sectors. The banking sector experiences the highest number of campaigns. On the contrary,\r\nthe threat group avoids targeting the healthcare sector out of humanitarian considerations. However, the healthcare\r\nsector is still affected by its campaigns. The ransomware is also specific in targeting countries such as the USA,\r\nCanada, and most parts of the Asia Pacific. The most affected countries are the USA, Canada, and India, all falling\r\nvictim to these campaigns.\r\nThe ransomware is observed exploiting numerous zero-day vulnerabilities with different variations. Installing\r\nDEWMODE , a webshell, was initially detected on FTA servers by exploiting zero-days. Recently, it was also\r\nobserved exploiting the MOVEIT Transfer vulnerability, which is an MFT with a SQL injection vulnerability.\r\nThese exploits were primarily used to exfiltrate data from databases and install webshells, granting the threat\r\nactors complete control over the affected endpoints. In a new campaign launched by the threat group, they are\r\nseen exploiting GOAnywhere (MFT) using a zero-day vulnerability.\r\nThe ransomware actively targets various organizations, and it has been observed since late 2020 that the threat\r\nactors have compromised over 100 companies. In collaboration with Fin11, a financially motivated threat group,\r\nthey exploited a zero-day vulnerability in the File Transfer Appliance (FTA) of Kiteworks (formerly known as\r\nAccellion). It is important to note that no data was encrypted; however, the threat actors threatened to expose\r\nmillions of user data on the black market. The Clop ransomware was primarily used to exfiltrate the data.\r\nAdditionally, the threat actors maintain a blog providing updates on their recent activities. They also operate a\r\nmarket selling data from various organizations for financial gain.\r\nClop Ransomware Timeline\r\n1. February 2019: First noticed in the wild with large-scale spear phishing.\r\n2. January 2020: Fin11 deployed Clop ransomware on the File Transfer Appliance (FTA) of Kiteworks,\r\nformerly Accellion.\r\nhttps://fourcore.io/blogs/clop-ransomware-history-adversary-simulation\r\nPage 1 of 8\n\n3. April 2020: The Clop ransomware threat group gained access to a pharmaceutical company and leaked\r\ntheir user data.\r\n4. November 2021: Maritime services in Singapore fell prey to the Clop ransomware, exfiltrating sensitive\r\ninformation regarding commercial details and employee data, including bank details.\r\n5. November 2021: Security researchers discovered Clop ransomware exploiting the SolarWinds\r\nvulnerability, breaching several organizations.\r\n6. April 2022: Security researchers discovered several MOVEit Transfer servers were compromised, which\r\nhad sensitive information.\r\n7. June 2023: Several companies from various sectors were compromised, including US federal agencies,\r\nBBC, hospitals, and EY.\r\nClop Ransomware Infection chain\r\nhttps://fourcore.io/blogs/clop-ransomware-history-adversary-simulation\r\nPage 2 of 8\n\nThe infection chain of the Clop ransomware involves the following stages:\r\n1. Initial Access: T1190 - Exploit Public-Facing Application T1566 - Phishing The initial access is achieved\r\nthrough spear-phishing victims, often accompanied by the SDBot and FlawedAmmy RAT. The\r\nransomware also exploits various applications using zero-days and known CVEs for gaining initial access.\r\nAdditionally, compromised RDP credentials are utilized as another entry point.\r\n2. Execution: T1059.001 - Command and Scripting Interpreter: PowerShell T1059.003 - Command and\r\nScripting Interpreter: Windows Command Shell T1129 - Shared Modules The ransomware predominantly\r\nutilizes native APIs and command interpreters like Windows PowerShell and Visual Basic macros for\r\nexecuting commands.\r\n3. Persistence: T1505.003 - Server Software Component: Web Shell T1546.011 - Event Triggered Execution:\r\nApplication Shimming The ransomware ensures persistence by being executed during system autostart. It\r\nalso modifies system processes to evade detection and maintain persistence.\r\n4. Privilege Escalation: T1068 - Exploitation for Privilege Escalation T1548.002 - Abuse Elevation Control\r\nMechanism: Bypass User Account Control To escalate privileges, the ransomware employs commonly\r\nexploited techniques, including UAC bypass and leveraging publicly available CVEs.\r\n5. Defense Evasion: T1055 - Process Injection T1070 - Indicator Removal T1574.002 - Hijack Execution\r\nFlow: DLL Side-Loading The ransomware utilizes sophisticated defense evasion techniques. It\r\nmasquerades as a legitimate process by using valid known signatures. It terminates security controls\r\npresent on the endpoint and employs process injection to evade detection. Furthermore, it clears the event\r\nlogs on the infected system.\r\n6. Discovery: T1018 - Remote System Discovery The ransomware scans the endpoint for various files to\r\nencrypt and exfiltrate. It also searches for other endpoints connected to the network and identifies\r\nprocesses to check for security controls, terminating them if found.\r\n7. Command and Control: T1071 - Application Layer Protocol T1105 - Ingress Tool Transfer Clop\r\nransomware predominantly utilizes Cobalt Strike for its command and control operations. It frequently\r\nsends beacons to actively monitor the infected systems.\r\n8. Impact: T1486 - Data Encrypted for Impact The ransomware encrypts data using a 1024-bit RSA and RC4\r\nkey. The encrypted data may be exfiltrated for sale on dark markets, unless the victims comply with the\r\nthreat actor's demands. Additionally, all shadow volumes are deleted to prevent data recovery.\r\nClop ransomware targetting the MOVEIT Transfer vulnerability\r\nClop ransomware specifically targets the MOVEIT Transfer vulnerability, an application designed to facilitate\r\nefficient management of file transfer operations within organizations. The threat actors took advantage of a SQL\r\ninjection vulnerability present in the web application of MOVEIT Transfer. They exploited this vulnerability by\r\ninstalling a webshell known as LEMURLOOT . Furthermore, the webshell incorporated various libraries from Moveit\r\nand primarily focused on enumerating and retrieving data from the underlying databases. This exploit not only\r\nenabled the threat actors to exfiltrate sensitive data but also gave them the ability to execute malicious code. The\r\nsituation is particularly worrisome as it has been observed that more than 2000 servers are still utilizing the\r\nvulnerable version of the MOVEIT Transfer application, rendering them active targets for the threat actor.\r\nThe ransom note left by threat actors of Clop ransomware.\r\nhttps://fourcore.io/blogs/clop-ransomware-history-adversary-simulation\r\nPage 3 of 8\n\nIndicator of Compromise (IoC)\r\nHashes:\r\nClop ransomware MOVEIT campaign LEMURLOOT Webshell\r\n1 0ea05169d111415903a1098110c34cdbbd390c23016cd4e179dd9ef507104495\r\n2 110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286\r\n3 1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2\r\n4 2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5\r\n5 2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59\r\n6 348e435196dd795e1ec31169bd111c7ec964e5a6ab525a562b17f10de0ab031d\r\n7 387cee566aedbafa8c114ed1c6b98d8b9b65e9f178cf2f6ae2f5ac441082747a\r\n8 38e69f4a6d2e81f28ed2dc6df0daf31e73ea365bd2cfc90ebc31441404cca264\r\n9 3a977446ed70b02864ef8cfa3135d8b134c93ef868a4cc0aa5d3c2a74545725b\r\n10 3ab73ea9aebf271e5f3ed701286701d0be688bf7ad4fb276cb4fbe35c8af8409\r\n11 3c0dbda8a5500367c22ca224919bfc87d725d890756222c8066933286f26494c\r\n12 4359aead416b1b2df8ad9e53c497806403a2253b7e13c03317fc08ad3b0b95bf\r\n13 48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a\r\n14 58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166\r\n15 5b566de1aa4b2f79f579cdac6283b33e98fdc8c1cfa6211a787f8156848d67ff\r\n16 6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d\r\n17 702421bcee1785d93271d311f0203da34cc936317e299575b06503945a6ea1e0\r\n18 769f77aace5eed4717c7d3142989b53bd5bac9297a6e11b2c588c3989b397e6b\r\n19 7c39499dd3b0b283b242f7b7996205a9b3cf8bd5c943ef6766992204d46ec5f1\r\n20 93137272f3654d56b9ce63bec2e40dd816c82fb6bad9985bed477f17999a47db\r\n21 98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8\r\n22 9d1723777de67bc7e11678db800d2a32de3bcd6c40a629cd165e3f7bbace8ead\r\n23 9e89d9f045664996067a05610ea2b0ad4f7f502f73d84321fb07861348fdc24a\r\n24 a1269294254e958e0e58fc0fe887ebbc4201d5c266557f09c3f37542bd6d53d7\r\n25 a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986\r\n26 b1c299a9fe6076f370178de7b808f36135df16c4e438ef6453a39565ff2ec272\r\nhttps://fourcore.io/blogs/clop-ransomware-history-adversary-simulation\r\nPage 4 of 8\n\n27 b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03\r\n28 b9a0baf82feb08e42fa6ca53e9ec379e79fbe8362a7dac6150eb39c2d33d94ad\r\n29 bdd4fa8e97e5e6eaaac8d6178f1cf4c324b9c59fc276fd6b368e811b327ccf8b\r\n30 c56bcb513248885673645ff1df44d3661a75cfacdce485535da898aa9ba320d4\r\n31 c77438e8657518221613fbce451c664a75f05beea2184a3ae67f30ea71d34f37\r\n32 cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621\r\n33 cf23ea0d63b4c4c348865cefd70c35727ea8c82ba86d56635e488d816e60ea45\r\n34 d477ec94e522b8d741f46b2c00291da05c72d21c359244ccb1c211c12b635899\r\n35 d49cf23d83b2743c573ba383bf6f3c28da41ac5f745cde41ef8cd1344528c195\r\n36 daaa102d82550f97642887514093c98ccd51735e025995c2cc14718330a856f4\r\n37 e8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e\r\n38 ea433739fb708f5d25c937925e499c8d2228bf245653ee89a6f3d26a5fd00b7a\r\n39 ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c\r\n40 f0d85b65b9f6942c75271209138ab24a73da29a06bc6cc4faeddcb825058c09d\r\n41 fe5f8388ccea7c548d587d1e2843921c038a9f4ddad3cb03f3aa8a45c29c6a2f\r\nEmails :\r\n1. unlock@rsv-box[.]com - CL0P communication email\r\n2. unlock@support-mult[.]com - CL0P communication email\r\n3. rey14000707@gmail[.]com - Login/Download\r\n4. gagnondani225@gmail[.]com - Email\r\nYara Rule:\r\nPresented below is the YARA rule for the MOVEIT CVE, by AhmetPayaslioglu.\r\n1rule MOVEit_Transfer_exploit_webshell_aspx {\r\n2\r\n3 meta:\r\n4\r\n5 date = \"2023-06-01\"\r\n6 description = \"Detects indicators of compromise in MOVEit Transfer exploitation.\"\r\n7 author = \"Ahmet Payaslioglu - Binalyze DFIR Lab\"\r\n8 hash1 = \"44d8e68c7c4e04ed3adacb5a88450552\"\r\n9 hash2 = \"a85299f78ab5dd05e7f0f11ecea165ea\"\r\n10 reference1 = \"https://www.reddit.com/r/msp/comments/13xjs1y/tracking_emerging_moveit_transfer_critical/\"\r\n11 reference2 = \"https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-da\r\n12 reference3 = \"https://gist.github.com/JohnHammond/44ce8556f798b7f6a7574148b679c643\"\r\n13 verdict = \"dangerous\"\r\n14 mitre = \"T1505.003\"\r\n15 platform = \"windows\"\r\n16 search_context = \"filesystem\"\r\n17\r\n18 strings:\r\nhttps://fourcore.io/blogs/clop-ransomware-history-adversary-simulation\r\nPage 5 of 8\n\n19\r\n20 $a1 = \"MOVEit.DMZ\"\r\n21 $a2 = \"Request.Headers[\\\"X-siLock-Comment\\\"]\"\r\n22 $a3 = \"Delete FROM users WHERE RealName='Health Check Service'\"\r\n23 $a4 = \"set[\\\"Username\\\"]\"\r\n24 $a5 = \"INSERT INTO users (Username, LoginName, InstID, Permission, RealName\"\r\n25 $a6 = \"Encryption.OpenFileForDecryption(dataFilePath, siGlobs.FileSystemFactory.Create()\"\r\n26 $a7 = \"Response.StatusCode = 404;\"\r\n27\r\n28 condition:\r\n29\r\n30 filesize \u003c 10KB\r\n31 and all of them\r\n32\r\n33}\r\n34\r\n35rule MOVEit_Transfer_exploit_webshell_dll {\r\n36\r\n37 meta:\r\n38\r\n39 date = \"2023-06-01\"\r\n40 description = \"Detects indicators of compromise in MOVEit Transfer exploitation.\"\r\n41 author = \"Djordje Lukic - Binalyze DFIR Lab\"\r\n42 hash1 = \"7d7349e51a9bdcdd8b5daeeefe6772b5\"\r\n43 hash2 = \"2387be2afe2250c20d4e7a8c185be8d9\"\r\n44 reference1 = \"https://www.reddit.com/r/msp/comments/13xjs1y/tracking_emerging_moveit_transfer_critical/\"\r\n45 reference2 = \"https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-da\r\n46 reference3 = \"https://gist.github.com/JohnHammond/44ce8556f798b7f6a7574148b679c643\"\r\n47 verdict = \"dangerous\"\r\n48 mitre = \"T1505.003\"\r\n49 platform = \"windows\"\r\n50 search_context = \"filesystem\"\r\n51\r\n52 strings:\r\n53\r\n54 $a1 = \"human2.aspx\" wide\r\n55 $a2 = \"Delete FROM users WHERE RealName='Health Check Service'\" wide\r\n56 $a3 = \"X-siLock-Comment\" wide\r\n57\r\n58 condition:\r\n59\r\n60 uint16(0) == 0x5A4D and filesize \u003c 20KB\r\n61 and all of them\r\n62}\r\nCVEs list exploited by the Clop ransomware:\r\nCVE-2023-34362\r\nCVE-2023-35036\r\nhttps://fourcore.io/blogs/clop-ransomware-history-adversary-simulation\r\nPage 6 of 8\n\nCVE-2023-0669\r\nCVE-2021-27101\r\nCVE-2021-27102\r\nCVE-2021-27103\r\nCVE-2021-27104\r\nCVE-2021-35211\r\nCVE-2021-27102\r\nClop Ransomware Adversary Simulation\r\nFourCore has utilized analysis reports, TTPs, and threat intelligence to develop an adversary simulation\r\nassessment for Clop Ransomware. This assessment aims to validate the effectiveness of your organization's\r\nsecurity controls using the FourCore ATTACK Platform.\r\nhttps://fourcore.io/blogs/clop-ransomware-history-adversary-simulation\r\nPage 7 of 8\n\nReferences\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-likely-testing-moveit-zero-day-since-2021/\r\nSource: https://fourcore.io/blogs/clop-ransomware-history-adversary-simulation\r\nhttps://fourcore.io/blogs/clop-ransomware-history-adversary-simulation\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://fourcore.io/blogs/clop-ransomware-history-adversary-simulation" ], "report_names": [ "clop-ransomware-history-adversary-simulation" ], "threat_actors": [ { "id": "6728f306-6259-4e7d-a4ea-59586d90a47d", "created_at": "2023-01-06T13:46:39.175292Z", "updated_at": "2026-04-10T02:00:03.236282Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "TEMP.Warlock", "UNC902" ], "source_name": "MISPGALAXY:FIN11", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434319, "ts_updated_at": 1775826694, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/12661ba2e6b53d2faee4480986f4735b73747fce.pdf", "text": "https://archive.orkl.eu/12661ba2e6b53d2faee4480986f4735b73747fce.txt", "img": "https://archive.orkl.eu/12661ba2e6b53d2faee4480986f4735b73747fce.jpg" } }