Cyber Threat Actor: Cl0p

Cl0p, also referred to as Clop, is a ransomware group that operates under a financially motivated model and has been observed using the Cl0p ransomware variant to encrypt victim systems while simultaneously exfiltrating sensitive data for double extortion. The group is known by the alias Cl0p in open‑source reporting and has been linked to a series of intrusions that target a variety of industries, including aviation, manufacturing, and technology, without a publicly stated geographic preference. In the incidents involving Korean Air’s former subsidiary, Cl0p claimed responsibility for compromising an Oracle E‑Business Suite zero‑day vulnerability, stealing names and bank account numbers of roughly 30,000 employees and publishing approximately 500 GB of the data on its leak site after the organization refused to pay a ransom. This activity is part of a broader campaign that has affected over a hundred organizations across multiple sectors, with other aviation firms such as Envoy Air identified as additional victims in the same exploit chain.

The group's typical tactics, techniques, and procedures include the exploitation of zero‑day vulnerabilities in enterprise software as an initial access vector, followed by deployment of the Cl0p ransomware payload to encrypt files and the theft of data prior to encryption. Cl0p maintains a public leak site where it publishes stolen information to pressure victims into paying the ransom, a practice that aligns with its observed use of double extortion tactics. The malware employed by the group is characterized by its ability to bypass traditional defenses and to communicate with command‑and‑control servers for key exchange and further instructions, although specific tooling details beyond the ransomware itself are not disclosed in the provided sources. No public attribution to a state‑sponsored actor or a defined criminal consortium has been established for Cl0p, and the group is generally described in open‑source reporting as a financially driven cybercriminal enterprise.

Cl0p’s most notable campaign to date involves the widespread exploitation of an Oracle E‑Business Suite zero‑day flaw, which enabled the group to infiltrate numerous organizations, extract employee and financial data, and leverage the stolen information for extortion. The Korean Air subsidiary incident exemplifies this campaign, demonstrating the group’s capacity to impact large enterprises, cause significant data exposure, and sustain pressure through leak‑site disclosures. While the group continues to adapt its methods, the confirmed activities outlined above represent the core of its known operational profile based on the available evidence.