Executive Summary & Group Overview
Cl0p is a Russian-speaking, financially motivated ransomware and data extortion operation that has operated since February 2019 within the TA505/FIN11 crimeware ecosystem. The group is most distinguished by its repeated, large-scale exploitation of zero-day vulnerabilities in managed file transfer (MFT) products, enabling simultaneous compromise of hundreds of organizations per campaign. By 2023, Cl0p had largely abandoned traditional ransomware encryption in favor of pure data theft and extortion, making it a principal driver of the industry-wide shift toward encryption-less supply chain attacks.
Five confirmed mass MFT campaigns (Accellion FTA 2020-2021, GoAnywhere MFT 2023, MOVEit Transfer 2023, Cleo 2024-2025, Oracle E-Business Suite 2025) have collectively resulted in an estimated $500M+ in extortion revenue and the compromise of tens of thousands of organizations. The group maintains a Tor-hosted leak site branded "CL0P^_-LEAKS" and has demonstrated consistent operational resilience following law enforcement actions. As of May 2026, Cl0p remains fully operational and continues to pursue new MFT and enterprise software zero-days.
| Attribute | Detail |
|---|---|
| Primary aliases | TA505 (Proofpoint/CISA); Lace Tempest (Microsoft); Graceful Spider (CrowdStrike); FIN11 (Mandiant/GTIG); GOLD TAHOE (Secureworks CTU) |
| Naming origin | "Cl0p" from Russian word klop (клоп): bed bug, a blood-feeding parasite that operates at night (CONFIRMED via Cyberint/Cybereason reporting) |
| Lineage | CryptoMix ransomware evolution; operates within TA505/FIN11 crimeware ecosystem since at least 2019 |
| Operational model | RaaS with data extortion; encryption-less exfiltration-only model since ~2023 |
| Extortion mechanic | Data theft followed by DLS publication threat; multi-extortion in earlier campaigns |
| Assessed jurisdiction | Russia / CIS region (CREDIBLE; multiple vendor assessments, CIS exclusion behavior) |
| LE disruption status | Partial (Nov 2021 Ukraine arrests); core leadership and operations intact as of May 2026 |
| Decryptor availability | Linux/ELF variant: free decryptor available (SentinelOne, Feb 2023). Windows variants: no public universal decryptor. |
Lineage & Organizational Heritage
Cl0p first appeared in February 2019 as an evolution of the CryptoMix ransomware family. Early binary analysis confirmed code reuse and cryptographic implementation similarities between the two strains, indicating direct lineage rather than independent development. CryptoMix itself was a well-established ransomware-as-a-service operation prior to Cl0p's emergence. The CryptoMix-to-Cl0p transition represents iterative malware development within the same criminal infrastructure rather than a distinct group spin-up.
The predominant analytical consensus treats Cl0p as a ransomware brand and tool operated primarily by the TA505/FIN11 crimeware ecosystem. TA505, tracked by Proofpoint since at least 2014-2015, is a large-scale phishing and malware distribution operation historically associated with Dridex, FlawedAmmyy RAT, and the Get2/SDBbot loader chain. FIN11, the Mandiant designation for the overlapping financial crime cluster, has been formally linked to all major Cl0p campaigns from Accellion through Oracle EBS.
Government advisories (CISA/FBI #StopRansomware AA23-158A, Canadian Centre for Cyber Security TA505/Cl0p profile) explicitly designate TA505 as the operator of Cl0p ransomware. The convergence of phishing infrastructure, malware loader chain, and data extortion branding under a single attribution is well-supported. Confidence is medium-to-high based on infrastructure, TTP, and financial flow overlap; definitional distinctions between TA505 and FIN11 at the organizational level remain a modeling choice rather than a factual disagreement between vendors.
Multiple vendor tracking names appear in reporting on Cl0p, with important distinctions between parent-cluster designations and Cl0p-specific aliases:
| Vendor / Body | Designation | Scope | Notes |
|---|---|---|---|
| Proofpoint | TA505 | Parent cluster (Dridex, Cl0p, FlawedAmmyy ecosystem) | Proofpoint's original designation; broadly adopted by government bodies |
| Mandiant / Google GTIG | FIN11 | Financially motivated cluster overlapping TA505; Cl0p campaigns formally attributed | Also tracks sub-clusters UNC2546 (Accellion), UNC5936 (Cleo/Oracle EBS) |
| Microsoft | Lace Tempest | Cl0p-specific; "Tempest" = financially motivated in Microsoft taxonomy | Previously DEV-0950; Lace Tempest is the current stable alias for Cl0p operators |
| CrowdStrike | Graceful Spider | Cl0p-specific adversary profile | Attributed MOVEit and Oracle EBS campaigns with moderate confidence [SecurityAffairs, 2025] |
| Secureworks CTU | GOLD TAHOE | Primary Cl0p operator cluster | Also references GOLD NIAGARA as a secondary cluster also deploying the Cl0p payload |
| Sophos | Cites GOLD TAHOE / GOLD NIAGARA | Uses Secureworks CTU designations in published reporting | Sophos reporting confirmed GOLD NIAGARA as a distinct cluster deploying Cl0p (single-vendor at time of writing) |
| CISA / FBI | "CL0P Ransomware Gang" / TA505 | Operational brand + parent cluster | MOVEit advisory AA23-158A is the definitive US government attribution document |
| Canadian CCCS | TA505 / Cl0p profile | Parent cluster designation consistent with CISA framing | Published dedicated TA505/Cl0p profile with TTP detail |
Sophos incident response data identified a second threat cluster, designated GOLD NIAGARA by Secureworks CTU, that deployed the Cl0p ransomware payload with TTPs and infrastructure patterns distinct from the primary GOLD TAHOE operator. This is consistent with a shared-tool or affiliate model in which the Cl0p binary is licensed or shared across multiple clusters. GOLD NIAGARA has not been independently confirmed by Mandiant, CrowdStrike, or Microsoft as of the time of this profile. Treat as credible but unverified at the cross-vendor level.
Operational Model
Cl0p operates as a Ransomware-as-a-Service enterprise with a core operator team responsible for malware development, zero-day research, and leak site infrastructure, and a separate affiliate layer that conducts network intrusions and manages victim negotiations. The core team draws on TA505's established phishing and loader distribution apparatus, enabling rapid scale-up across parallel victim sets in supply chain campaigns.
The affiliate revenue split is not reliably documented in open sources for Cl0p specifically. General RaaS benchmarks suggest 60/40 to 80/20 splits (affiliate/operator); any specific percentage seen in single-vendor blogs should be treated as low-confidence. Secureworks and Sophos confirm that at least two distinct clusters (GOLD TAHOE, GOLD NIAGARA) have independently deployed the Cl0p payload, consistent with a shared-tooling or sub-licensing model alongside an affiliate tier.
Cl0p's extortion approach has evolved materially across its operational lifetime:
- 2019-2021 (Traditional double extortion): Network intrusion via phishing or compromised access, lateral movement, data exfiltration, ransomware deployment. Victims threatened with both non-recovery of encrypted files and DLS publication.
- 2021-2022 (MFT pivot begins): Accellion FTA zero-days exploited for bulk data theft. Encryption step increasingly deprioritized in favor of speed and scale.
- 2023-present (Encryption-less model): GoAnywhere, MOVEit, Cleo, and Oracle EBS campaigns conducted as pure exfiltration-and-extortion operations. No ransomware payload deployed. Cl0p publicly acknowledged this shift, framing it as a strategic choice to minimize operational footprint and reduce time-to-exfiltration.
Victims receive ransom notes directing them to Tor-based contact portals or specific email addresses hosted on privacy-focused providers (ProtonMail, Tutanota). Unlike some RaaS operators, Cl0p historically has not published exact ransom amounts in notes, instead requiring victims to initiate contact before a demand is stated. This approach enables demand calibration based on victim size and industry.
Documented negotiation patterns include: staged data publication as leverage escalation; willingness to negotiate significantly downward from initial demands in exchange for prompt engagement; direct contact with known customers, partners, or shareholders of victimized organizations in select high-profile cases to amplify pressure; and adoption of torrents for data distribution beginning August 2023 to complicate takedown efforts against clearweb infrastructure.
Initial demands in high-impact supply chain incidents have been reported as very high (tens of millions USD) with material room for negotiation. Exact discount ranges are case-specific and rarely disclosed publicly; open-source visibility into specific negotiated outcomes is limited.
The "CL0P^_-LEAKS" site has been the group's primary extortion platform since approximately early 2020. Publication strategy is tiered: victim names appear first (often with partial redaction in the initial post), followed by data sample screenshots, followed by full data releases at escalating intervals. In August 2023, Cl0p added BitTorrent distribution of MOVEit-stolen data, making the data effectively uncensorable. This was a direct response to law enforcement and hosting provider pressure on their clearweb mirror sites established during the MOVEit campaign.
Technical Capabilities
Cl0p's defining technical capability is the identification and weaponization of zero-day vulnerabilities in enterprise Managed File Transfer (MFT) products. Five confirmed campaigns spanning 2020-2025 follow an identical operational template: exploit MFT zero-day for unauthenticated remote access, deploy lightweight data theft tooling, exfiltrate high-value data, delete operational traces, and initiate extortion cycle. No encryption payload is deployed in post-2022 campaigns.
| Campaign | Product | CVE(s) | CVSS | Approx. Victims | Period |
|---|---|---|---|---|---|
| Accellion FTA | Accellion File Transfer Appliance (legacy) | CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104 | 9.8 / 9.8 / 9.8 / 9.8 | ~100-300 orgs | Dec 2020 – Feb 2021 |
| GoAnywhere MFT | Fortra (formerly HelpSystems) GoAnywhere MFT | CVE-2023-0669 | 7.2 (NVD) | ~129 orgs | Jan – Mar 2023 |
| MOVEit Transfer | Progress MOVEit Transfer | CVE-2023-34362 | 9.8 (Critical) | 2,000+ downstream; 384 confirmed DLS | May – Jul 2023 |
| Cleo MFT | Cleo Harmony / VLTrader / LexiCom | CVE-2024-50623, CVE-2024-55956 | Critical | 66+ named; total unknown (4,000+ Cleo customers at risk) | Nov 2024 – Feb 2025 |
| Oracle EBS | Oracle E-Business Suite (Concurrent Processing) | CVE-2025-61882 | 9.8 (Critical) | Dozens confirmed; campaign ongoing at time of profile | Jul – Oct 2025 |
In the MOVEit campaign, Cl0p/TA505 deployed the LEMURLOOT web shell after exploiting CVE-2023-34362. LEMURLOOT is a custom ASP.NET web shell specifically engineered for the MOVEit Transfer application. Its capabilities include: extracting Azure system settings and associated keys/tokens from the MOVEit configuration database; exporting database contents including stored files and user metadata; creating unauthorized administrative accounts; and maintaining persistent access post-initial exploitation. LEMURLOOT was designed for MOVEit specifically and represents purpose-built tooling rather than commodity malware, indicating substantial pre-campaign development investment. [5][4]
The 2024-2025 Cleo campaign and the 2025 Oracle EBS campaign both involved a Java-based in-memory loader designated GOLDVEIN.JAVA (Mandiant naming). This tool fetches and executes a second-stage payload without writing to disk, complicating forensic recovery. In the Oracle EBS campaign, GOLDVEIN.JAVA was launched from within the Oracle Concurrent Processing Java process, suggesting the tool is adapted per target application. The use of the same loader family across both Cleo and Oracle EBS campaigns is the primary technical link supporting Mandiant's attribution of both to FIN11 cluster UNC5936. [Google Cloud Blog, Mandiant, 2025]
In traditional intrusion-based campaigns (pre-2022), Cl0p-aligned operators employed the following post-exploitation toolkit:
- Get2 loader: Initial-stage loader delivered via phishing; fetches SDBOT/SDBbot and additional tools
- SDBbot (SDBOT): Remote access trojan used for persistent access, credential harvesting, and lateral movement preparation
- FlawedAmmyy RAT: Remote access tool based on leaked Ammyy Admin source code; used for interactive control of compromised systems
- Cobalt Strike Beacon: Commercial post-exploitation framework widely abused by ransomware actors; used for C2 and lateral movement
- Native Windows utilities: PsExec (remote execution), net.exe (service manipulation), taskkill.exe (process termination), vssadmin.exe (shadow copy deletion), wmic.exe (WMI-based execution)
In MFT zero-day campaigns, the toolset is dramatically simplified. Cl0p deploys a purpose-built web shell or in-memory loader directly against the target application, exfiltrates targeted data, and withdraws with minimal lateral movement. This lean profile makes traditional lateral movement indicators less reliable as detection tripwires in MFT campaigns.
When deploying traditional ransomware (pre-2023 campaigns), Cl0p uses a combination of AES-256 for file content encryption with RSA key wrapping. Victim-specific binaries embed a unique 1024-bit RSA public key. The encryption process: reads target files into memory, encrypts using Windows CryptoAPI with AES, writes encrypted data to new file, deletes the original. Encrypted files receive a .Clop, .Cl0p, or .Cllp extension. Shadow copies are deleted or resized via vssadmin.exe to prevent recovery.
| Variant | Target | Encryption | CIS Exclusion | Decryptor Available |
|---|---|---|---|---|
| Windows PE | Windows endpoints and servers | AES-256 + RSA-1024 key wrap | Yes: locale/keyboard check; halts on Russian/CIS systems | No universal decryptor. Victim-specific keys required. |
| Linux ELF | Linux servers (first observed Dec 2022) | Flawed RC4 implementation: RC4 key encrypted with hardcoded RC4 master key instead of RSA | Behavior varies by build | Yes: SentinelOne released free decryptor Feb 2023 based on RC4 logic flaw [SentinelOne Labs] |
| ESXi | VMware ESXi hypervisors | Reported flaws in some variants | Partial | Partial: SOCRadar reported decryptors for specific variants; no universal tool |
Financial Infrastructure
Cl0p demands payment primarily in Bitcoin. Some reporting indicates occasional use of Monero or other privacy coins in specific negotiations, but Bitcoin remains the dominant and most documented payment mechanism across all five confirmed campaigns. Victim-specific payment wallets are used rather than a shared address, complicating aggregate tracking.
Ransom demand calibration is victim-specific: rather than publishing a fixed price, the group requires victims to make contact, after which demand amounts are established based on apparent victim size, sector, and data sensitivity. Documented high-profile demands have been in the tens of millions USD range; many smaller victims receive lower initial demands. Negotiations proceed on Tor-based portals or via encrypted email.
| Firm | Finding | Confidence |
|---|---|---|
| Chainalysis | Cl0p credited as one of the major ransomware beneficiaries in 2023-2025 reports. MOVEit campaign projected to yield $75-100M in extortion revenue. Total estimated revenue exceeds $500M across all campaigns. Increased LE and compliance pressure noted as constraining some cash-out efficiency. [Chainalysis 2025 Crypto Crime Report; 2026 Ransomware Report] | CREDIBLE: published in Chainalysis annual reports; methodology notes partial visibility caveat |
| TRM Labs | On-chain analysis consistent with professional laundering network access. 2025 Crypto Crime Report documents Cl0p within broader ransomware ecosystem data. No standalone Cl0p-specific wallet cluster published as of May 2026. | CREDIBLE: Published reporting; no specific Cl0p cluster disclosed |
| Elliptic | No standalone Cl0p-specific blockchain analysis confirmed in public reporting as of profile date. | No published Elliptic-specific Cl0p attribution in open sources |
OFAC has sanctioned numerous wallets and entities associated with major ransomware groups (e.g., Evil Corp, Conti-linked individuals). Open sources do not consistently list a fully public, named set of Cl0p-exclusive OFAC designations as of May 2026. The November 2021 Ukraine arrests (see Section 07) did not generate OFAC action against specific Cl0p leadership at the time. Any claim of specific OFAC-listed wallet addresses as "definitively Cl0p" should be treated as low-to-medium confidence unless supported by explicit OFAC documentation.
The US DoJ offered a $10 million reward for information leading to the identification or location of key Cl0p leadership following the MOVEit campaign in 2023. This reward, rather than a formal indictment or sanction, reflects the continued inability to attribute the operation to named individuals with prosecutorial-grade confidence.
Victim Profile & Targeting
Cl0p does not maintain a narrow vertical focus. Targeting is driven by two primary selection criteria: (1) use of vulnerable MFT or enterprise software products, and (2) capacity to pay a substantial ransom based on organizational size and data sensitivity. Sectors impacted across all confirmed campaigns include:
- Finance and banking (including insurance, credit unions)
- Healthcare and pharmaceutical (hospitals, health systems, pharma R&D)
- Education (universities, school districts, research institutions)
- Government agencies and municipalities (state, local, federal)
- Manufacturing, retail, and consumer goods
- Energy and utilities
- Technology and professional services (law firms, consultancies, IT managed services)
- Transportation and logistics
Healthcare and education institutions have been disproportionately represented in the MOVEit and Accellion campaigns because those sectors have high MFT product adoption and often less mature patch management processes relative to their large data holdings.
Victims span North America (US dominant), Europe (UK, Germany, France, Netherlands prominent), Asia-Pacific, and Latin America. Notable concentrations in US, UK, Canada, and Western Europe reflect both the geographic distribution of MFT product customers and the higher payment capacity of organizations in those jurisdictions.
No confirmed victims in Russia or CIS member states. Cl0p maintains documented locale exclusions in its Windows malware preventing execution on Russian and select CIS-configured systems. This is consistent across all confirmed campaign periods.
| Campaign | Selected Victims | Data Type Exposed |
|---|---|---|
| Accellion FTA (2020-21) | Reserve Bank of New Zealand, Kroger, Qualys, Shell, University of Colorado, University of California, Stanford Medicine, multiple law firms | Customer records, financial data, legal documents, PII |
| GoAnywhere MFT (2023) | Community Health Systems, Hatch Bank, Procter & Gamble, City of Toronto, Rubrik, Hitachi | PHI, financial records, HR data, corporate documents |
| MOVEit Transfer (2023) | BBC, British Airways, Shell, Ernst & Young, NYC Department of Education, Norton LifeLock, UCLA, Siemens Energy, Delta Dental, Michigan State University, Massachusetts teachers' pension fund (3.5M individuals) | PII, payroll, student records, employee benefits data, financial records |
| Cleo MFT (2024-25) | Blue Yonder (major supply chain software provider; affected 14+ Tier-1 retailers); 66+ additional companies named on DLS | Supply chain operational data, logistics records, vendor/customer PII |
| Oracle EBS (2025) | Dozens of enterprise organizations using Oracle Concurrent Processing; specific names withheld pending ongoing campaign assessment | ERP/financial data, HR records, operations data |
Cl0p has publicly claimed (via DLS announcements and negotiation communications) to exclude from targeting: military organizations, children's hospitals, and certain government bodies. The group has also claimed willingness to delete data belonging to these categories if inadvertently obtained. In operational reality, these claims are inconsistent and unreliable: healthcare institutions (including entities serving pediatric populations) and government agencies have appeared regularly on the DLS across all five campaigns. The exclusion claims function as reputational management rather than systematic policy.
Law Enforcement & Regulatory Response
In November 2021, Ukrainian National Police, working in coordination with Interpol, US law enforcement, and South Korean authorities, arrested six individuals alleged to have participated in Cl0p ransomware attacks against South Korean companies and US academic institutions. Physical assets seized included cash, vehicles, and computer equipment. The operation was publicly framed as a significant blow to the Cl0p infrastructure.
Operational impact was minimal and short-lived. Cl0p's DLS activity rebounded within weeks of the arrests. Sophos incident response data confirmed continued campaign activity post-November 2021, indicating the arrests targeted lower-tier operators (affiliates, money mules, infrastructure managers) rather than core development and leadership. No public record of convictions or prosecutorial outcomes for the six arrested individuals has appeared in English-language open sources as of May 2026.
Following the MOVEit campaign, the US Department of State's Rewards for Justice program offered a $10 million reward for information leading to the identification or location of individuals operating as key Cl0p leadership. This offer is legally and analytically distinct from an indictment or sanction: it reflects the inability to attach prosecutorial-grade attribution to specific named individuals despite substantial intelligence-community knowledge of the operation. The reward remains active as of May 2026.
| Advisory | Date | Scope |
|---|---|---|
| AA23-158A: #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability | June 2023 | Definitive US government attribution of MOVEit campaign to Cl0p/TA505; TTPs, IOCs, mitigations |
| Canadian CCCS Profile: TA505/Cl0p | 2022 (updated) | Full TTP and attribution profile; formal government-level attribution of Cl0p operations to TA505 |
| CISA Accellion FTA Advisory | March 2021 | Joint US/Australian/UK/New Zealand advisory on Accellion FTA exploitation; TTPs attributed to TA505-linked actors |
| FBI Flash: Cl0p Ransomware Indicators | Multiple 2021-2023 | IOC releases and victim notification campaigns following each major campaign cycle |
The Cl0p MOVEit campaign in particular has generated substantial regulatory and supervisory downstream activity, particularly in the healthcare and financial sectors. HHS/OCR opened multiple investigations against healthcare organizations that used MOVEit and experienced breaches. SEC disclosure requirements were invoked for publicly traded companies that reported material MOVEit-related incidents. The campaign has become a case study in third-party and supply chain risk management in virtually every sector's cybersecurity regulatory guidance updated since 2023. No "Cl0p-specific" regulations have been enacted; impact has been absorbed into broader supply chain risk and vendor oversight frameworks.
This operational continuity through three major campaign cycles (GoAnywhere, MOVEit, Cleo, Oracle EBS) following the 2021 arrests confirms that the arrested individuals were not core to Cl0p's operational capability. The group's leadership, technical infrastructure, and zero-day research capacity remain intact.
Attribution & State Nexus
Cl0p is assessed with high confidence as operating from within Russia or a Russian-aligned CIS jurisdiction, based on: consistent Russian-language operator communications; absence of any confirmed victims in Russia or CIS member states across 87+ months of operation; explicit locale-based CIS exclusions coded into malware; laundering infrastructure consistent with access to Russian-aligned OTC networks; and operator recruitment via Russian-language cybercrime forums.
The Canadian CCCS assessment describes TA505 (the parent cluster) as "almost certainly a financially motivated, Russian-speaking, RaaS cybercrime group very likely based in a CIS country." This language represents the outer boundary of government-level attribution confidence for an unindicted group. No US government document has attributed Cl0p to specific Russian Federation territory with the same specificity available for, e.g., state-sponsored APT groups operating under FSB or GRU mandate.
Cl0p is assessed as a financially motivated criminal organization operating within a Russian safe-harbor environment. Evidence for direct FSB, SVR, or GRU tasking or coordination is not present in public reporting. Key indicators that would support a state nexus assessment are absent:
- No documented targeting of geopolitically strategic entities consistent with Russian state intelligence priorities (NATO infrastructure, Ukrainian government, Western defense contractors in a non-financial context)
- No evidence of data sharing between Cl0p operators and Russian state intelligence services
- No publicly disclosed government assessment from Five Eyes partners indicating state direction of Cl0p operations
The CIS exclusion behavior is consistent with Russian government's informal "do not target the near-abroad" norm applied to tolerated cybercriminals, rather than with active state direction. This tolerance model confers a functional safe harbor without constituting a command relationship.
No Cl0p core operator or leadership figure has been publicly identified by name with prosecutorial-grade confidence in open sources. The six individuals arrested in Ukraine in November 2021 were described in public reporting as participants in the Cl0p "racket," but their specific roles, identities, and case outcomes have not been consistently documented in English-language open sources. No sealed or public US federal indictments naming Cl0p leadership have been identified as of May 2026. This absence of named individuals distinguishes Cl0p from comparably impactful groups such as LockBit, Evil Corp, and Conti, where at minimum some leadership-level attribution has been achieved.
Trajectory Assessment
Cl0p has demonstrated exceptional resilience across all observed disruption events. The November 2021 Ukraine arrests produced no measurable operational degradation beyond a brief pause in DLS activity. The group subsequently executed three additional major supply chain campaigns of equal or greater scale (GoAnywhere, MOVEit, Cleo), each representing expanded technical capability and victim volume relative to the prior cycle. This pattern confirms that the 2021 arrests removed peripheral personnel while leaving the zero-day research and development function, financial management, and core operational leadership intact.
| Phase | Period | Dominant TTP | Distinguishing Feature |
|---|---|---|---|
| Phase 1: Traditional RaaS | 2019-2020 | Phishing-to-loader-to-ransomware | Standard double extortion; CryptoMix-derived payload |
| Phase 2: MFT Pivot (Encryption) | 2020-2022 | MFT zero-day + bulk exfiltration + encryption | Accellion FTA; 4 CVEs; encryption still deployed on some targets |
| Phase 3: Encryption-Less Extortion | 2023 | MFT zero-day + bulk exfiltration only | GoAnywhere and MOVEit campaigns; highest victim volume and revenue to date |
| Phase 4: Distributed Infrastructure | 2023 (Aug onward) | Exfiltration + torrent-based data distribution | BitTorrent used for MOVEit data to evade takedowns; clearweb mirrors supplemented by P2P |
| Phase 5: Diversified Target Portfolio | 2024-2025 | MFT (Cleo) + ERP zero-day (Oracle EBS) | Expansion beyond pure MFT products; GOLDVEIN malware indicates new tooling investment |
Unlike Conti (which dissolved publicly in May 2022), REvil (multiple shutdowns with eventual rebrand attempts), or LockBit (partially disrupted in 2024), Cl0p has shown no documented indication of brand shutdown or rebrand intent as of May 2026. Internal leaks comparable to the Conti chat dumps have not appeared for Cl0p. The group has operated continuously under the same brand, DLS, and operational identity for 87 months, making it one of the longest-running continuous ransomware brands in the threat landscape.
The existence of GOLD NIAGARA as a separate cluster using the Cl0p payload (Sophos/Secureworks CTU) does not indicate internal fragmentation; it is consistent with the affiliate model. The Cl0p brand itself shows no sign of the internal tensions or leadership conflict that preceded Conti's dissolution.
| Group / Cluster | Relationship | Anchor Confidence | Extension Confidence | Vendor Coverage |
|---|---|---|---|---|
| TA505 | Parent crimeware ecosystem; Cl0p is a product within the TA505 operational portfolio | CONFIRMED | N/A (anchor claim) | Proofpoint, CISA/FBI, Canadian CCCS, Malpedia; broad multi-vendor consensus |
| FIN11 / UNC5936 | Mandiant overlapping cluster; formally attributed all major Cl0p campaigns via UNC designations | CONFIRMED (campaign attribution) | CREDIBLE (organizational equivalence with TA505) | Mandiant/Google GTIG: published campaign attributions; TA505/FIN11 equivalence is an industry-level analytical consensus |
| GOLD NIAGARA | Secondary cluster also deploying Cl0p payload; distinct TTPs from GOLD TAHOE | CREDIBLE | LOW-MEDIUM (single-vendor; Sophos citing Secureworks CTU) | Sophos (citing Secureworks CTU); not independently confirmed by Mandiant, CrowdStrike, or Microsoft as of May 2026 |
| UNCA2546 / UNCA2582 | Affiliate clusters referenced in Halcyon reporting as Cl0p-linked | LOW-MEDIUM | LOW | Halcyon: single vendor; limited technical detail in open sources; treat as unverified pending cross-vendor confirmation |
Neither Mandiant nor Recorded Future has published a formal assessment specifically evaluating GOLD NIAGARA as a standalone Cl0p-linked cluster distinct from GOLD TAHOE as of this profile's publication date.
Cl0p is assessed as likely to remain a top-tier global extortion actor through at least 2026-2027. The group's demonstrated pattern of expanding its zero-day research capability to cover new product categories (ERP with Oracle EBS) beyond its historical MFT focus indicates growing technical resources and investment. The continued absence of successful law enforcement action against core leadership removes the primary disruption risk that has degraded comparable actors (LockBit, Conti).
Key intelligence gaps that constrain higher-confidence assessments:
- Identity, location, and current status of core leadership: entirely unconfirmed in public sources
- Precise revenue attribution: all figures based on partial blockchain visibility; actual revenue may be materially higher or lower
- Affiliate split structure and total affiliate count: inferred from general RaaS norms, not directly documented for Cl0p
- GOLD NIAGARA organizational relationship: single-vendor claim pending cross-vendor validation
- Current zero-day research pipeline: no public intelligence on which MFT or enterprise products are under active Cl0p assessment