Cl0p
activeAlso known as: Clop, TA505
Cl0p is a ransomware operation known for exploiting zero-day vulnerabilities in file transfer solutions like MOVEit, GoAnywhere, and Accellion FTA. They focus heavily on data theft and extortion without always deploying encryption.
First Seen
2019-02
Last Activity
2025-01
Target Regions
3 regions
Industries
5 sectors
Financial ServicesHealthcareGovernmentEducationRetail
Attack Chain (MITRE ATT&CK)
Visual representation of the attack phases and techniques used by Cl0p
Click on a phase to view details and MITRE ATT&CK technique IDs
Tactics & Techniques
MITRE ATT&CK mapped tactics and techniques used by this threat actor
Indicators of Compromise (IOCs)
Known IOCs associated with Cl0p operations
| Type | Value | Description | Last Seen | Actions |
|---|---|---|---|---|
| hash | c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4 | LEMURLOOT web shell | 2025-01-05 | |
| filename | human2.aspx | Common web shell filename | — |
IOCs are defanged for safety. Click copy to get the clean value.
Detection Guidance
SIEM and EDR detection recommendations for identifying Cl0p activity
- 1Monitor MOVEit and other file transfer solutions for suspicious activity
- 2Detect web shell creation in application directories
- 3Alert on unusual outbound data transfers
Mitigation, Containment & Recovery
Step-by-step guidance for responding to and recovering from this ransomware attack
- 1Patch all file transfer applications immediately
- 2Isolate affected systems
- 3Check for web shells