Top five ransomware leaksites

Clop

Active Since:

February 2019

Victims Posted in the Last Year:

123

Known Aliases:

Cl0p (XSS forum)

Dark Web Networks:

Tor

Top Geographies Targets:

US

“At the time of writing, cl0p is in the news for a mass-hack against more than 130 organizations.”

Cl0p ransomware is a variant of CryptoMix with additional anti-virus evasion features. The ransomware-as-a-service (RaaS) operation is known to be linked to larger cybercriminal enterprises tracked as TA505 and FIN11. Although six suspected Cl0p associates were arrested in Ukraine in June 2021, leading to a lull in activity, a resurgence of Cl0p ransomware attacks was observed less than a year later.

At the time of writing, Cl0p is in the news for claiming what it describes as a ‘mass-hack’ against more than 130 organizations by exploiting a vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere MFT secure file transfer tool. This isn’t the first time Cl0p has ‘mass-hacked’ a number of organizations by exploiting vulnerabilities in third-party software. In late 2020 – early 2021 it used the same tactic to attack more than 100 organizations with Accellion’s legacy File Transfer Appliance, using a combination of zero day vulnerabilities and a previously unseen web shell.

This approach of targeting multiple organizations and then announcing them in quick succession distinguishes Cl0p from most other ransomware operations.

update October 2023

In June, Cl0p repeated its novel approach of mass-attacks on a new scale with by exploiting hundreds of organizations through a vulnerability in a  zero day vulnerability in their file transfer software, MOVEit. The group had so many victims that it had to explore new ways of leaking data, including using Torrents. The group’s activity has plateaued significantly since the listing of all of the MOVEit victims. However, the group’s tactic of attacking victims in batch means that we should not expect that this means Cl0p is not conducting activity behind the scenes and it is likely it is looking for a new vulnerability to exploit.

Back to guide