The MOVEit campaign lasted three days. Three days of automated exploitation, and Cl0p had access to networks at an estimated 2,500 to 2,600 organisations globally. Government departments. Healthcare providers. Financial institutions. Universities. Pension funds. All of them compromised through a zero-day in enterprise file transfer software they had no reason to believe was vulnerable.
That is Cl0p’s operational model in its most developed form. Not targeted intrusions against specific high-value organisations. Mass exploitation of a single vulnerability in widely-deployed infrastructure, executed in a compressed timeframe before patches can be applied, followed by systematic data theft and extortion at scale.
Understanding Cl0p requires understanding that they are not primarily a ransomware group. They are a data theft and extortion group that deploys ransomware selectively. Their primary weapon is stolen data and the threat of its publication. The ransomware is a secondary mechanism for targets who don’t respond to data extortion alone.
Group Overview
| Attribute | Detail |
|---|---|
| Common names | Cl0p, TA505, FIN11 (partially overlapping; see below) |
| Attribution | Eastern European financially motivated criminal group, with indicators suggesting Russian or Russian-adjacent operators |
| First observed | TA505 documented from 2014; Cl0p ransomware first observed 2019 |
| Primary revenue model | Data theft and extortion; ransomware as supplementary pressure |
| Enforcement actions | Europol/Ukrainian law enforcement arrested six individuals associated with Cl0p in June 2021 |
| Current status | Active. File transfer exploitation operations continue |
| Geographic targeting | Sector-wide; specifically targets organisations using vulnerable enterprise file transfer software regardless of geography |
A note on naming: TA505 is a broader threat cluster tracked by Proofpoint dating from 2014 that encompasses email-based malware distribution campaigns. FIN11 is Mandiant’s designation for a financially motivated group that evolved from TA505-linked activity toward large-scale ransomware and data extortion operations. Cl0p is the ransomware brand associated with this cluster. The relationships between these designations are partially overlapping and the naming conventions across vendors cause confusion. For operational purposes, the Cl0p designation refers to the group conducting the file transfer exploitation campaigns.
The File Transfer Exploitation Pattern
Cl0p’s defining operational signature is the systematic targeting of enterprise file transfer software at the zero-day level. The pattern has repeated across multiple platforms:
| Year | Platform | CVE | Estimated Victims |
|---|---|---|---|
| 2021 | Accellion FTA | CVE-2021-27101, CVE-2021-27102 | ~100 organisations |
| 2023 (Jan) | Fortra GoAnywhere MFT | CVE-2023-0669 | ~130 organisations |
| 2023 (Jun) | Progress Software MOVEit Transfer | CVE-2023-34362 | ~2,500 organisations |
The progression tells the story. Each campaign was larger than the previous one. The operational tempo improved. The victim count for MOVEit was an order of magnitude larger than GoAnywhere. The model is being refined and scaled.
The reason file transfer software is the target is straightforward: managed file transfer platforms are typically internet-facing, hold sensitive data (financial records, HR data, protected health information) by design, and are used across a wide range of organisations including those with strong internal security postures. Exploiting them yields access without needing to penetrate the internal network through traditional means.
MOVEit: The Campaign That Defined the Model
The Vulnerability
CVE-2023-34362 was a SQL injection vulnerability in the MOVEit Transfer web application. Unauthenticated attackers could send crafted HTTP requests to MOVEit’s internet-facing endpoints to inject SQL commands that exfiltrated data from the underlying database, planted web shells for persistent access, and exfiltrated files transferred through the platform.
Progress Software patched the vulnerability on 31 May 2023. By then, Cl0p had already been exploiting it for three days, from 27-29 May, the US Memorial Day weekend — a timing choice that reduced the probability of immediate detection.
The Execution
Cl0p’s MOVEit campaign was automated at a scale not previously seen in data extortion operations. Web shell implantation, database enumeration, and file exfiltration were executed across thousands of targets in the three-day exploitation window. The operational infrastructure required to coordinate this — to handle simultaneous access to hundreds or thousands of compromised systems, triage the data, and manage the subsequent extortion communications — represents a significant logistical operation.
Post-exploitation, Cl0p used a staged extortion approach: victims were given a deadline to contact the group through a negotiation portal, after which stolen data would be progressively published on their dedicated leak site. Organisations that did not pay saw their data released.
The Victims
The MOVEit victim list included:
- Multiple US federal agencies (though the data exposure was limited in those cases)
- NHS contracted suppliers in the UK, leading to patient data exposure
- Pension fund administrators affecting millions of retirement account holders
- Multiple state governments in the US
- Major financial services firms, airlines, and technology companies
The breadth of impact across sectors demonstrated the consequence of having a single vulnerable platform deployed at scale across the enterprise ecosystem.
Technical Approach
Zero-Day Research
Cl0p invests in vulnerability research against enterprise file transfer platforms specifically. The consistent focus on this software category suggests either dedicated internal research capacity targeting this class of software or a sustained relationship with vulnerability researchers who supply zero-days. The MOVEit vulnerability was clearly studied and validated at scale before the exploitation window opened — the automation required for the campaign could not have been built in the days between patch disclosure and exploitation.
LEMURLOOT Web Shell
The web shell deployed in MOVEit intrusions was a custom ASP.NET web shell designated LEMURLOOT by Mandiant. It was designed specifically for MOVEit’s application environment: it interacted with MOVEit’s database directly, enumerated transferred files, downloaded file contents, and exfiltrated data. It was specific to this campaign, not a repurposed generic web shell.
Automation and Scale
The ability to simultaneously maintain access to and exfiltrate data from thousands of compromised organisations requires infrastructure that goes beyond typical criminal group capabilities. The automation of the exploitation, data collection, and initial victim notification was a distinguishing characteristic of MOVEit compared to earlier Cl0p campaigns.
Data Management and Extortion
Cl0p’s extortion infrastructure is well-developed. A dedicated leak site hosted on Tor and clear-web mirror sites hosts victim data. Victim-specific sections go live progressively when extortion timelines pass without payment. Negotiation channels are maintained for victims who choose to engage.
Unlike some ransomware groups, Cl0p has been reported to delete data and not publish it when ransoms are paid — maintaining a degree of trustworthiness in their extortion relationship that is commercially necessary for their model to function.
Sectors and Targets
Cl0p’s file transfer exploitation model is fundamentally sector-agnostic: they target organisations that use vulnerable software, not organisations in specific sectors. However, certain sectors are disproportionately represented due to their use of managed file transfer platforms:
- Healthcare: hospitals, medical billing companies, and pharmacy benefit managers use MFT platforms extensively for transferring patient data and insurance claims.
- Financial services: banks, insurers, and pension administrators use MFT for regulatory reporting and data exchange.
- Government: federal, state, and local governments are heavy MFT users for inter-agency and contractor data exchange.
- Legal and professional services: document-heavy organisations using MFT for client data handling.
What Comes Next
The pattern of iterating to a new file transfer platform after exhausting a previous target class is established. Following MOVEit, Cl0p has continued scanning activity against file transfer software infrastructure. The question is not whether a new campaign is being prepared but which platform is being researched.
File transfer software in the current exposure window includes any platform that:
- Is internet-facing
- Handles sensitive files
- Has not been recently subjected to thorough security review
- Has a large installed base that makes mass exploitation viable
This is not a short list. Organisations should assume that any MFT platform they operate is a current Cl0p research target.
Defensive Recommendations
Inventory and minimise your MFT exposure. Know what file transfer platforms you operate. Assess which are internet-facing. For internet-facing MFT platforms: restrict access to known IP ranges where operationally feasible, implement WAF rules, and monitor for anomalous database queries.
Emergency patching procedures for MFT software. When a zero-day is disclosed for a file transfer platform you operate, the exploitation window in Cl0p-style campaigns is measured in days. Your patching process needs to treat MFT vulnerabilities as emergency, not routine.
Web shell detection on MFT infrastructure. Monitor for new or modified web-accessible files in MFT application directories. Deploy file integrity monitoring on the web application layer. Cl0p web shell deployment is detectable if you are looking for it.
Assume breach when a patch is released. If you were running a vulnerable version of MOVEit, GoAnywhere, or Accellion FTA during the exploitation windows: assume you were compromised. Conduct forensic investigation before treating the patching as remediation complete.
Consider MFT architecture. Internet-facing file transfer platforms with broad database access are an inherently high-risk architecture. Alternatives — air-gapped transfer processes, restricted network access, API-based exchange with audit logging — may reduce the attack surface available to the next campaign.