{ "id": "20db8417-bb19-45f8-9d8b-c8ad25df14c0", "created_at": "2026-04-06T00:21:04.835897Z", "updated_at": "2026-04-10T13:12:02.675183Z", "deleted_at": null, "sha1_hash": "237c9826282a92eaf7e1cd687dace0a152eb97ea", "title": "Meet the Ransomware Gang Behind One of the Biggest Supply Chain Hacks Ever", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 270237, "plain_text": "Meet the Ransomware Gang Behind One of the Biggest Supply\r\nChain Hacks Ever\r\nBy Lorenzo Franceschi-Bicchierai\r\nPublished: 2021-04-14 · Archived: 2026-04-05 20:38:43 UTC\r\nKat Garcia is a cybersecurity researcher at Emsisoft, where, as part of her work, she tracks a ransomware gang\r\ncalled Cl0p.\r\nYet, she was surprised when she got an email at the end of last month from the hackers. In the message, the Cl0p\r\nhackers told her they had broken into the servers of a clothing shop for expecting mothers and they had her phone,\r\nemail, home address, credit card information, and Social Security number. \r\n“We inform you that information about you and your purchases, as well as your payment details, will be published\r\non the darknet if the company does not contact us,” the hackers wrote. “Call or write to this store and ask to\r\nprotect your privacy.”\r\nGarcia said that this incident “shows how far threat actors are willing to go to monetize their crimes.” \r\nThe C10p cybercriminals are now trying to recruit customers of the breached companies to help them exhort the\r\ncompanies they hacked. It’s the latest twist in the hacking group’s attempts to extort money from victims, and it’s\r\none of the reasons that Cl0p has become one of the most interesting—and fearsome—hacking groups of early\r\n2021.\r\n“This is the first time I can recall a ransomware group using contact information of customers to reach out en\r\nmasse through email,” Brett Callow, a security researcher at Emsisoft, which specializes in tracking ransomware,\r\nsaid in a phone call. \r\n“In our team there is no me, there is only us, as a rule, most people are interchangeable.”\r\nSecurity researchers who have tracked Cl0p describe the group in blog posts and to Motherboard as a “criminal\r\nenterprise” that is “ruthless,” “sophisticated and innovative,” “well-organized and well-structured,” and “very\r\nactive—almost tireless.” \r\nThe group’s recent victims include: oil giant Shell, security company Qualys, U.S. bank Flagstar, the controversial\r\nglobal law firm Jones Day, Stanford University, and University of California, among several others, all victims of\r\na supply chain hack against Accellion, a company that provides a file transfer application. \r\nCl0p, also known as TA505 and FIN11, has been around for at least three years, according to several security\r\nfirms that have been tracking the group. But the hackers have recently grabbed more headlines and become more\r\nprominent after gaining access to a treasure trove of sensitive data from dozens of companies—and all thanks to\r\none single hack. \r\nhttps://www.vice.com/en/article/wx5eyx/meet-the-ransomware-gang-behind-one-of-the-biggest-supply-chain-hacks-ever\r\nPage 1 of 5\n\nThe hackers are the benefactors—and, some think, the culprit—of the supply chain attack against the Accellion\r\nFile Transfer Appliance (FTA), a file-sharing service used by around 300 companies all over the world, according\r\nto Accellion. Security researchers still don’t know for sure whether Cl0p was the hacking group that compromised\r\nAccellion, or if they are just the ones that are monetizing the stolen data after the original hacking group gave\r\nthem access. \r\nIn an email conversation, Motherboard asked the hackers whether they were behind the Accellion supply chain\r\nhack, and how they did it. \r\n“Yes. Somehow,” the hackers responded.\r\nDo you have knowledge of the inner workings of Cl0p or another ransomware gang? We’d love to hear\r\nfrom you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on\r\nSignal at +1 917 257 1382, lorenzofb on Wickr, OTR chat at lorenzofb@jabber.ccc.de, or email\r\nlorenzofb@vice.com\r\nCl0p published the name of the companies, and a sample of the stolen data, on its website, CL0P^_- LEAKS. As\r\nresearchers from Talon, a division of South Korean cybersecurity company S2WLAB said in an email, “some\r\ncompanies are found to be removed on the data leakage page on the dark web,” presumably because they paid the\r\nransom. \r\nThere are 52 companies on CL0P^_- LEAKS as of last week. These are presumably companies that have not paid\r\nthe ransom requested by the hackers. Antonis Terefos, a researcher at Fox-IT who has studied the group, estimated\r\nthat the group has hacked more than 150 companies. \r\nA redacted screenshot of the website where Cl0p leaks some files to pressure companies into paying\r\na ransom to avoid further leaks. (Image: Motherboard)\r\nAs part of these breaches, Cl0p has posted victims’ names, social security numbers, home addresses, financial\r\ndocuments, passport information, and other sensitive data on their website, where they publicize their hacks in an\r\nattempt to show what data they have in their hands, and what they are capable of if the victim’s don’t pay up. \r\nAn Accellion spokesperson downplayed the extent of the hack, saying in an email that “out of approximately 300\r\ntotal FTA clients, fewer than 100 were victims of the attack. Within this group, fewer than 25 appear to have\r\nsuffered significant data theft.”\r\nhttps://www.vice.com/en/article/wx5eyx/meet-the-ransomware-gang-behind-one-of-the-biggest-supply-chain-hacks-ever\r\nPage 2 of 5\n\nCl0p normally contacts the breached companies directly via email, offering to negotiate a payment to avoid the\r\nleak of the stolen data on their chat portal. If the company agrees and pays quickly, the hackers don’t leak any\r\ndata, nor put the company’s name on their website. Sometimes they even show a video as proof they deleted the\r\nsensitive data after a payment. If the company refuses to engage, the hackers start leaking some data, according to\r\nmultiple security researchers who are tracking Cl0p.  \r\n“In the communications that they’ve had with victims that we’ve seen, they are relatively professional and\r\nrespectful. So they do offer discounts,” Kimberly Goody, the manager of the financial crime analysis team at\r\nFireEye, told Motherboard in a phone call. \r\nA screenshot of Cl0p chat portal. (Image: FireEye)\r\nIt seems that Cl0p knows that as long as they get a few big victims they can make good money. \r\nIn one case observed by FireEye at the end of 2020, the Cl0p hackers asked the victim for $20 million. After some\r\nnegotiations, the victim company was able to get the price down to $6 million. South Korean security firm\r\nS2WLAB said in January they saw a victim pay 220 bitcoin, which appears to be the same case FireEye\r\nobserved. \r\nIn another case, the hackers offered another victim a discount based on how quickly they could reach an\r\nagreement: 30 percent discount if within three or four days, 20 percent if within 10 days, and 10 percent if it’s\r\nwithin 20 days, according to Goody.\r\nThe hackers, however, have made some mistakes. To communicate with victims, Cl0p sometimes uses a custom\r\nchat portal that is not protected by a password. That makes the negotiations visible to researchers and anyone who\r\ncan guess the URL, according to Goody, who said that that is how FireEye was able to observe some\r\nconversations between the group and its victims. \r\nhttps://www.vice.com/en/article/wx5eyx/meet-the-ransomware-gang-behind-one-of-the-biggest-supply-chain-hacks-ever\r\nPage 3 of 5\n\nUnlike other ransomware groups such as Netwalker, REvil, and CONTI, Cl0p doesn’t run an affiliate program,\r\nmeaning they don’t share their malware with other cybercriminals to get a share of their proceedings. Cl0p\r\nappears to run the whole hacking operation from start to finish, which reduces the size of their earnings, according\r\nto Goody. \r\n“They’re content with the slow and steady pace. I mean, it’s not like they aren’t able to make a lot of money\r\npotentially, from these compromises, given that they are demanding millions of dollars when they are successful,”\r\nGoody said. “They’re not necessarily greedy, like maybe some of these other actors are.”\r\nA screenshot of Cl0p communicating with a victim on the group’s chat portal. (Image: FireEye)\r\n“It is indecent to ask strangers about how much they earn,” the hackers said.\r\nThe hackers also declined to say much about themselves.\r\n“In our team there is no me, there is only us, as a rule, most people are interchangeable.” they wrote in the email\r\ninterview. “There are several people in the team and we have existed for several years.”\r\nWhile the hackers’ identities are unknown, security researchers agree that the group is likely based in a country\r\npart of the Commonwealth of Independent States (CIS), which is formed by Russia and former Soviet Union\r\ncountries. \r\n“It’s only a matter of time before they make a mistake which will help [law enforcement to identify its members.”\r\nGoody said that Cl0p’s ransomware has metadata in Russian language, and the hackers appear to stop their\r\nactivities during Russian holidays. Moreover, she added, their malware is programmed to check if the infected\r\ncomputers use the Russian language character set, or keyboard layouts for countries in the CIS. If that’s the case,\r\nthe ransomware deletes itself. \r\nhttps://www.vice.com/en/article/wx5eyx/meet-the-ransomware-gang-behind-one-of-the-biggest-supply-chain-hacks-ever\r\nPage 4 of 5\n\nThis is a true and tested strategy to avoid attracting the attention of authorities in Russia or other Eastern European\r\ncountries, which are sometimes believed to tolerate cybercrime as long as it doesn’t impact their own citizens.\r\nDespite these precautions, some believe Cl0p is getting a bit too popular for its own good. \r\n“They are getting too much attention, not a good thing. Last year, nobody was interested in them. Now, there are\r\nmany reports writing about them and [law enforcement] cases ongoing,” a security researcher, who asked to\r\nremain anonymous because he was not authorized to speak to the press, told Motherboard in an email. “Maybe\r\nthey’ll rebrand like other ransomware gangs did to get out of the focus. Maybe they continue to operate because\r\nthey reside in a safe haven like a [Commonwealth of Independent States] country. Hopefully, their doors get\r\nkicked in one morning…”\r\nTerefos agreed.\r\n“It’s only a matter of time before they make a mistake which will help [law enforcement to identify its members,”\r\nhe said. \r\nSubscribe to our cybersecurity podcast, CYBER.\r\nSource: https://www.vice.com/en/article/wx5eyx/meet-the-ransomware-gang-behind-one-of-the-biggest-supply-chain-hacks-ever\r\nhttps://www.vice.com/en/article/wx5eyx/meet-the-ransomware-gang-behind-one-of-the-biggest-supply-chain-hacks-ever\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.vice.com/en/article/wx5eyx/meet-the-ransomware-gang-behind-one-of-the-biggest-supply-chain-hacks-ever" ], "report_names": [ "meet-the-ransomware-gang-behind-one-of-the-biggest-supply-chain-hacks-ever" ], "threat_actors": [ { "id": "6728f306-6259-4e7d-a4ea-59586d90a47d", "created_at": "2023-01-06T13:46:39.175292Z", "updated_at": "2026-04-10T02:00:03.236282Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "TEMP.Warlock", "UNC902" ], "source_name": "MISPGALAXY:FIN11", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434864, "ts_updated_at": 1775826722, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/237c9826282a92eaf7e1cd687dace0a152eb97ea.pdf", "text": "https://archive.orkl.eu/237c9826282a92eaf7e1cd687dace0a152eb97ea.txt", "img": "https://archive.orkl.eu/237c9826282a92eaf7e1cd687dace0a152eb97ea.jpg" } }