Cyber Threat Actor: Clop
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
Russia
|
271 incidents |
|---|
Profile
Clop, also tracked as ITG08, is a Russia‑linked ransomware group that has been observed operating since at least 2019 and is known by several aliases including TA505, Lace Tempest, Dungeon Spider and FIN11. Public reporting describes the gang as financially motivated and explicitly states that it does not pursue political objectives, claiming to delete any government‑related data it obtains to avoid becoming a national‑security target. The group operates under a ransomware‑as‑a‑service model, providing the ransomware payload to affiliates in exchange for a share of the ransom proceeds.
Clop’s targeting pattern, as reflected in publicly reported incidents, spans multiple sectors and geographic regions. Victims have included healthcare organizations such as Johnson & Johnson’s Janssen CarePath program, AbbVie, Vitality Group International and various hospitals; financial institutions ranging from banks like Umpqua Bank and 1st Source to insurance firms such as Kotak Life Insurance, Genworth Financial and Wilton Reassurance; educational entities including the University of California Los Angeles, the University of Georgia and numerous school districts; government agencies at federal, state and local levels, notably the U.S. Department of Health and Human Services, the Department of Energy, the Office of Personnel Management and state agencies in Louisiana, Oregon and Minnesota; law firms such as Kirkland & Ellis LLP and K&L Gates LLP; and commercial enterprises in energy, manufacturing, retail and technology sectors. The group’s stated objective is financial gain, and it has asserted that it is not interested in political espionage or disruption.
The tactics, techniques and procedures attributed to Clop in the source material center on the exploitation of zero‑day vulnerabilities in managed file transfer solutions. The group has been identified as the actor behind the widespread exploitation of a zero‑day in Progress Software’s MOVEit Transfer (CVE‑2023‑34362) that began in late May 2023, as well as earlier zero‑day exploits in Fortra’s GoAnywhere MFT platform, Accellion FTA servers (notably in December 2020) and SolarWinds Serv‑U servers in 2021. Clop’s operations typically involve gaining unauthorized access to file‑transfer servers, exfiltrating sensitive data and then threatening to publish the stolen information unless a ransom is paid, a approach characterized as double extortion. The gang maintains a data‑leak site where it posts victim names to pressure negotiations and claims to have deleted data from approximately thirty government entities. Analysts have estimated that the group may have extorted upwards of seventy‑five million dollars from a handful of large MOVEit victims while treating many other targets as collateral damage.
Among the most visible campaigns, the 2023 MOVEit exploitation led to the compromise of over one hundred fifty organizations and the alleged theft of personal data belonging to more than sixteen million individuals, affecting healthcare patients, insurance policyholders, university students, government employees and corporate employees across the United States, Canada, Europe and other regions. Prior to the MOVEit campaign, Clop conducted mass‑scale attacks against Accellion FTA customers in late 2020, SolarWinds Serv‑U users in 2021 and GoAnywhere users in early 2023, each time leveraging newly discovered zero‑day flaws to harvest data before patches were applied. These activities have been repeatedly linked to the group through public attributions by law‑enforcement agencies, cybersecurity firms and the actors’ own statements on leak sites. The combination of financially motivated extortion, reliance on zero‑day file‑transfer exploits and a ransomware‑as‑a‑service structure defines Clop’s current threat profile.
