Cyber Threat Actor: Clop

The threat actor known as FIN11, also tracked as Clop or Cl0p, is a Russia‑based cybercriminal group that operates under a ransomware‑as‑a‑service model and is primarily motivated by financial gain. It has been observed using multiple aliases in open‑source reporting and is linked to earlier activity clusters such as TA505 and Lace Tempest. The group’s public statements emphasize a purely financial motive, claiming it does not pursue political objectives and that it deletes data taken from government entities to avoid becoming a national‑security target. Its victimology spans a wide range of sectors including aviation, healthcare, finance, education, energy, retail and government, with a notable concentration of incidents affecting organizations in the United States as well as entities in South Korea, Canada and Europe. The actors typically seek monetary extortion by threatening to publish stolen data unless a ransom is paid, a tactic carried out through leak sites where they name non‑paying victims.

Fin11’s operational approach centers on exploiting zero‑day vulnerabilities in widely used file‑transfer and enterprise‑software platforms to gain initial access, after which it exfiltrates sensitive information and may deploy ransomware to encrypt systems. Reported campaigns have leveraged flaws in Progress Software’s MOVEit Transfer (CVE‑2023‑34362 and related issues), Fortra’s GoAnywhere managed file transfer tool, and Oracle’s E‑Business Suite, allowing the group to compromise third‑party vendors and pivot to numerous downstream organizations. In addition to data theft, the gang has used its Clop ransomware payload to encrypt files on victim networks, reinforcing its extortion pressure. Notable publicly reported operations include a 2023 MOVEit‑linked campaign that impacted over 150 organizations and exposed the personal data of millions of individuals, a 2023 GoAnywhere zero‑day effort that hit entities such as Gray Television and Volaris, and a 2025 Oracle E‑Business Suite zero‑day wave that led to the compromise of Korean Air’s former subsidiary and the leak of employee data on the group’s leak site. These activities illustrate the actor’s reliance on supply‑chain‑style exploits, data‑exfiltration for extortion, and occasional ransomware deployment to monetize access.