Clop Ransomware: Inside the $500 Million Cybercrime Empire Driving February 2026's Breach Surge
The cybercriminal operation behind seven years of zero-day exploitation campaigns continues its expansion. With 97 victims claimed in the past 30 days and active exploitation targeting Cleo and Oracle systems, Clop has established itself as one of the most persistent ransomware threats facing enterprises today.
Breached Company
Executive Summary
Clop—stylized as "Cl0p" and named after the Russian word for bedbug—exemplifies ransomware's evolution from opportunistic encryption to strategic zero-day exploitation. What began in 2019 as a CryptoMix variant has grown into a sophisticated operation responsible for 1,100+ organizational compromises, exposure of 93 million individuals' personal data, and an estimated $500+ million in ransom payments.
The numbers tell the story:
- 97 victims in the last 30 days (as of February 7, 2026)
- 5th most prolific ransomware group by total victim count
- 19 countries and 12+ industries targeted in current campaigns
- $75-100 million estimated earnings from MOVEit exploitation alone
- Last victim claimed: February 7, 2026—they're active right now
For security teams, Clop represents a paradigm shift in threat actor behavior. Unlike groups that scatter ransomware through phishing campaigns hoping for lucky hits, Clop operates more like a nation-state APT: identifying zero-day vulnerabilities in widely-deployed enterprise software, developing exploitation tools, and executing coordinated mass attacks that compromise hundreds of organizations simultaneously.
The February 2026 surge we're witnessing stems from ongoing Cleo file transfer exploitation that began in December 2024, combined with a newly-identified Oracle E-Business Suite campaign. Organizations using Cleo LexiCom, VLTransfer, Harmony, or Oracle EBS with internet-facing portals should treat this as an active emergency.
Group Background and History: From Phishing Gang to Zero-Day Specialists
The TA505 Connection
Clop doesn't operate in isolation. The group is the ransomware arm of TA505, also tracked as FIN11, Snakefly, and Graceful Spider—a Russian-speaking cybercriminal collective that has been active since at least 2014. Before Clop, TA505 was known as one of the largest phishing and malspam distributors in the world.
CISA's assessment is blunt: "TA505 is a financially motivated cybercrime group known for frequently changing malware and driving global trends in criminal malware distribution."
The group's estimated reach is staggering: 3,000+ US organizations and 8,000+ global organizations compromised through various campaigns. TA505 operates multiple business models simultaneously—ransomware-as-a-service, initial access brokering, and botnet operations—making them a one-stop-shop for cybercriminal infrastructure.
Evolution Timeline
The Clop operation has shown remarkable adaptability over its seven-year lifespan:
2015-2016: CryptoMix ransomware family emerges, establishing the technical foundation that would become Clop.
February 2019: Clop first appears as a CryptoMix variant. The group launches large-scale spear-phishing campaigns, delivering malware through HTML attachments that lead to macro-enabled documents.
December 2019: The attack on Maastricht University demonstrates Clop's willingness to target critical infrastructure. The Dutch university paid a €200,000 ransom to restore operations.
March 2020: Launch of the "Cl0p^_-Leaks" data leak site marks Clop's transition to double extortion. Now encryption isn't the only leverage—stolen data provides a second pressure point.
December 2020: Everything changes. Clop begins exploiting zero-day vulnerabilities in Accellion's File Transfer Appliance (FTA). This campaign reveals their new operational model: mass exploitation of enterprise file transfer systems rather than traditional phishing.
2021-Present: A succession of zero-day campaigns—GoAnywhere, MOVEit, Cleo, Oracle EBS—each more devastating than the last. The group has effectively cornered the market on file transfer platform exploitation.
Why "Clop"?
The name derives from "клоп" (klop), the Russian word for bedbug—parasites that infiltrate homes, hide in crevices, and feed on their hosts while they sleep. It's disturbingly apt: Clop infiltrates file transfer systems designed to move sensitive data, hides within legitimate infrastructure, and extracts value while organizations remain unaware.
Breached Company
Attack Methodology and TTPs: The Zero-Day Playbook
The Shift from Phishing to Zero-Days
Clop's operational evolution represents a strategic business decision. Traditional ransomware deployment through phishing is noisy, has low success rates, and attracts immediate attention. Zero-day exploitation of enterprise software is quieter, affects more victims simultaneously, and often goes undetected until the threat actor is ready to begin extortion.
The economics are compelling: rather than compromising organizations one-by-one through laborious phishing campaigns, Clop can compromise hundreds of organizations through a single vulnerability in widely-deployed software. The MOVEit campaign alone impacted 2,700+ organizations in a matter of weeks.
Primary Attack Vectors
1. Zero-Day Exploitation of File Transfer Appliances
This is Clop's specialty. Their target selection shows careful analysis of enterprise software deployment:
- Accellion FTA (legacy but widely deployed in 2020)
- GoAnywhere MFT (common in financial services)
- MOVEit Transfer (ubiquitous across enterprises)
- Cleo LexiCom, VLTransfer, and Harmony (supply chain focused)
- SolarWinds Serv-U FTP
These systems share common characteristics: they handle sensitive data transfers, they're often internet-facing for business reasons, and they're deployed by organizations with data worth stealing.
2. Phishing Campaigns (Traditional Method)
When zero-days aren't available, Clop falls back to sophisticated phishing:
- HTML attachments leading to macro-enabled documents
- Get2 loader deployment
- SDBot/FlawedAmmyy/FlawedGrace for persistent access
- Cobalt Strike for post-exploitation
- Final Clop ransomware deployment
3. TrueBot Malware Distribution
In 2023, CISA documented TrueBot affecting 1,500+ systems globally. TrueBot serves as a first-stage downloader that takes screenshots, gathers system information, and loads additional DLLs for expanded access.
The Malware Arsenal
Clop operators deploy a sophisticated toolkit:
| Tool | Function |
|---|---|
| Get2 | Initial loader delivered via phishing |
| SDBot | Remote access trojan for propagation |
| FlawedAmmyy/FlawedGrace | RATs based on legitimate remote access software |
| Cobalt Strike | Commercial red team tool used for post-exploitation |
| TrueBot | First-stage downloader with reconnaissance capabilities |
| DEWMODE | PHP web shell specifically for Accellion FTA |
| LEMURLOOT | C# web shell designed for MOVEit exploitation |
| TinyMet | Lightweight reverse shell connector |
Encryption Characteristics
When Clop deploys ransomware (increasingly rare in recent campaigns), the encryption shows technical sophistication:
Encryption algorithms: AES for file encryption, RSA for key protection, RC4 in older variants, Salsa20 with ECDH in recent versions.
File extensions: .clop, .CIIp, .Cllp, .C_L_O_P (variations likely to evade signature detection)
Pre-encryption behavior:
- Terminates backup and security processes
- Deletes volume shadow copies (vssadmin Delete Shadows /all /quiet)
- Disables Windows recovery options via bcdedit
- Checks keyboard layout—won't execute on Russian or CIS-language systems
This last characteristic is telling: the malware is specifically designed to avoid encrypting systems in Russia and allied nations.
The Shift to Encryption-less Extortion
Since 2023, Clop has increasingly abandoned encryption in favor of pure data extortion. Industry analysis confirms: "Clop uses more and more pure extortion approaches with 'encryption-less ransomware' that skips the encryption process but still threatens to leak data if ransom is not paid."
The operational logic is straightforward: traditional encryption requires sophisticated malware development, execution time that can alert defenders, and higher detection risk. Data exfiltration via web shells is faster, generates less security telemetry, and delivers equivalent extortion leverage with reduced operational exposure.
Breached Company
Major Campaigns Timeline: A History of Mass Exploitation
Accellion FTA Attack (December 2020 - Early 2021)
Clop's first major zero-day campaign targeted the Accellion File Transfer Appliance, exploiting multiple vulnerabilities:
- CVE-2021-27101: SQL injection via crafted host header
- CVE-2021-27102: OS command execution via local web service
- CVE-2021-27103: Server-side request forgery
- CVE-2021-27104: OS command execution via crafted POST request
The timing was surgical—exploitation began December 23, 2020, as security teams went on holiday. Clop deployed the DEWMODE web shell to interact directly with Accellion's MySQL database and exfiltrate data without deploying ransomware.
Notable victims: Kroger, Jones Day law firm, Qualys, Singtel, Reserve Bank of New Zealand, ASIC (Australian Securities and Investments Commission)
Market impact: According to Coveware via BleepingComputer, the Accellion breaches drove Q1 2021 average ransom payments to $220,298—a 43% increase—with median payments jumping 60% to $78,398.
GoAnywhere MFT Attack (January 2023)
Exploiting CVE-2023-0669, a zero-day remote code execution vulnerability, Clop compromised approximately 130 organizations in just ten days.
The attack methodology showed refinement: Clop limited their activity to the GoAnywhere platform itself, with no observed lateral movement into victim networks. They identified executives through OSINT and sent extortion communications directly.
The ransom notes were characteristically blunt:
"Hello, this is the CL0P hacker group... We want to inform you that we have stolen important information from your GoAnywhere MFT resource... If you ignore us, we will sell your information on the black market and publish it on our blog, which receives 30-50 thousand unique visitors per day."
MOVEit Transfer Attack (May-June 2023)
The campaign that redefined ransomware scale.
Clop exploited CVE-2023-34362, a SQL injection zero-day in Progress Software's MOVEit Transfer solution. Exploitation began May 27, 2023—Memorial Day weekend in the United States, when security teams operated with reduced staffing.
The impact was unprecedented:
- 2,700+ organizations compromised
- 93.3 million individuals' personal data exposed
- Estimated $75-100 million in ransom payments collected
- 90%+ of victims didn't even attempt negotiation
The LEMURLOOT web shell deployed during this campaign showed sophisticated design: it authenticated via an X-siLock-Comment HTTP header using a hardcoded 36-character password, and disguised itself as "human2.aspx" (mimicking the legitimate "human.aspx" file).
Major victims included: BBC, British Airways (via Zellis payroll provider), Shell, Ernst & Young, Estée Lauder, NYC Department of Education (45,000 students affected), 890 US universities via National Student Clearinghouse, and multiple US government agencies including the Department of Energy and State Department.
Cleo File Transfer Attack (December 2024 - Present)
Active and ongoing as of February 2026.
CVE-2024-50623 (CVSS 9.8 Critical) affects Cleo LexiCom, VLTransfer, and Harmony products. The vulnerability allows unrestricted file uploads and downloads leading to remote code execution.
Campaign timeline:
- October 2024: Cleo first disclosed the vulnerability
- December 2024: Mass exploitation observed
- December 24, 2024: Clop begins extortion with 66 companies and 48-hour deadlines
- January 2025: 59+ organizations named on leak site
- February 2025: 182 Cleo victims reported by researchers
- February 2026: Ongoing victim disclosure continues
Confirmed victim: Western Alliance Bank reported 21,899 customers impacted, with Social Security numbers and financial data confirmed stolen.
Oracle E-Business Suite Campaign (2025-2026)
The latest campaign targets Oracle EBS login portals, exploiting suspected vulnerabilities CVE-2025-61882 and CVE-2025-61884. Clop is targeting internet-facing Oracle EBS deployments and has named nearly 30 alleged victims on their leak site.
This campaign is still developing, and organizations running Oracle EBS should audit their exposure immediately.
Recent Victim Analysis: The February 2026 Surge
Understanding the February 2026 Surge
Three factors drive the current spike in Clop activity:
Delayed disclosure from Cleo campaign: Organizations compromised during December 2024's holiday exploitation are still being contacted. Clop's extortion model employs gradual victim naming to sustain psychological pressure over months.
New Oracle EBS campaign: Active exploitation of Oracle E-Business Suite portals adds fresh victims to an already substantial disclosure queue.
Tactical timing: Clop's pattern of holiday-period attacks (Christmas 2020, Memorial Day 2023, Christmas 2024) means February catches organizations still remediating incidents discovered during end-of-year security reviews.
Recent Victims (February 2026)
Threat intelligence tracking from Dark Web Informer documents recent disclosures across multiple countries and sectors:
- 🇺🇸 Western Alliance Bank (westernalliancebank.com) - 21,899 customers, SSNs confirmed stolen
- 🇬🇧 Dukosi (dukosi.com) - UK technology company
- 🇨🇦 Strategic Objectives (strategicobjectives.com) - Canadian business services
- 🇮🇹 Labinf IT - Italian IT services
- 🇺🇸 NG Attorneys - US legal services
- 🇨🇦 Conwest - Canadian construction
- 🇨🇦 Ideal Welders - Canadian manufacturing
- 🏴 TRJ Ltd - Welsh business
- 🇺🇸 VIP LLC - US services
- 🇮🇳 MNK Associates - Indian professional services
- 🇺🇸 Brault - US business
Geographic and Industry Targeting Patterns
Geographic Concentration
Clop's victim distribution reflects where high-value targets deploy vulnerable software:
- United States: 72% of victims (primary target)
- Canada: 14% (secondary)
- Europe: 14% (UK, Germany, France, Netherlands)
- Australia, India, Brazil: Tertiary targets
The group explicitly avoids Russian and CIS-nation systems—their malware checks keyboard layouts and won't execute on Cyrillic-language installations.
Industry Targeting
Analysis from CYFIRMA's February 2025 report on current campaigns:
- Manufacturing: 37% (supply chain focus)
- Retail: 26% (payment and customer data)
- Transportation: 14% (logistics chains)
- Financial Services: High-value targets
- Healthcare: Despite claiming to avoid hospitals, numerous healthcare breaches documented
- Education: Universities, school districts
- Legal Services: Law firms hold sensitive client data
- Government: State and federal agencies compromised in MOVEit
The Supply Chain Strategy
Black Kite's 2025 Ransomware Report captured Clop's approach: "Clop targeted not only the technical vulnerability in its Cleo campaign, but also industries at the core of the supply chain. The goal was not just data theft, but to create operational chaos."
By targeting file transfer platforms used in supply chain operations, Clop achieves cascade effects—a single compromised logistics company can expose data from hundreds of client organizations.
Ransom Demands and Negotiation Tactics
Demand Ranges
Clop's ransom demands show significant variation based on victim size:
| Victim Type | Typical Demand |
|---|---|
| Small-medium businesses | ~$40,000 |
| Mid-market enterprises | $500,000 - $5 million |
| Large enterprises | $10-20+ million |
| Highest documented | $500 million (demanded, not necessarily paid) |
The MOVEit campaign demonstrated that volume can substitute for per-victim amounts: Clop reportedly earned $75-100 million despite many victims refusing to engage at all.
Extortion Escalation
Clop pioneered aggressive multi-stage extortion:
- Initial contact: Ransom note or direct email to executives
- Deadline pressure: Typically 48-72 hours before data release
- Gradual disclosure: Data released in batches to maintain leverage
- Customer contact: Direct outreach to victims' customers and partners
- Media engagement: Advertising breaches to journalists
The group maintains a professional "customer service" approach during negotiations, communicating in broken English but with consistent messaging and Bitcoin payment infrastructure.
Law Enforcement Actions: Arrests Without Impact
June 2021 Ukraine Arrests
A joint operation involving Ukrainian Cyber Police, FBI, Interpol, and South Korean law enforcement resulted in:
- 6 individuals arrested in Kyiv region
- 21 searches conducted
- Tesla vehicles, high-end cars, cash, and equipment seized
The impact assessment from Intel 471 was prescient:
"We do not believe that any core actors behind CLOP were apprehended, due to the fact that they are probably living in Russia. The overall impact to CLOP is expected to be minor although this law enforcement attention may result in the CLOP brand getting abandoned."
Reality proved this correct: Clop resumed operations within days and has grown significantly since the arrests. The individuals detained were likely money launderers and lower-tier affiliates, not the operators who develop exploits and manage infrastructure from within Russia.
The Jurisdictional Challenge
Clop's core operators remain beyond law enforcement reach. Russia's policy against extraditing citizens to Western nations, combined with limited domestic prosecution of cybercriminals targeting foreign organizations, creates effective safe harbor. The malware's built-in Russian keyboard check makes this arrangement explicit—operators deliberately avoid actions that would attract domestic law enforcement attention.
2023 CISA/FBI Joint Advisory
In response to MOVEit, US authorities published AA23-158a under the #StopRansomware initiative, providing detailed IOCs, TTPs, and mitigation guidance. While valuable for defenders, the advisory hasn't deterred Clop's operations.
Defense Recommendations for Security Teams
Immediate Actions (Next 48 Hours)
1. Inventory and patch file transfer platforms
- Identify all MOVEit, Cleo, GoAnywhere, and Oracle EBS instances
- Determine which systems are internet-facing
- Apply latest security patches immediately
- Take unpatchable systems offline until remediation is possible
2. Hunt for compromise indicators
- Search logs from December 2024 onward for IOCs listed in Detection section
- Scan web directories for unexpected .aspx, .php, or executable files
- Review authentication logs for suspicious access patterns during off-hours
- Check for evidence of shadow copy deletion or backup tampering
3. Strengthen network isolation
- Implement network segmentation to isolate file transfer systems from sensitive data repositories
- Deploy micro-segmentation to limit lateral movement paths
- Review firewall rules to restrict unnecessary internet exposure
- Consider zero-trust architecture for high-value systems
Strategic Mitigations
4. File transfer platform hardening
- Disable unnecessary features and integrations
- Implement strict access controls
- Enable comprehensive logging
- Consider moving to managed cloud alternatives with better security resources
5. Backup and recovery
- Maintain offline, immutable backups
- Test restoration procedures regularly
- Document recovery time objectives for critical systems
6. Incident response preparation
- Develop ransomware-specific playbooks
- Establish relationship with law enforcement pre-incident
- Consider retainer with IR firm
- Prepare communications templates for customer notification
7. Threat intelligence integration
- Monitor for Clop IOCs and TTPs
- Subscribe to vulnerability alerts for deployed software
- Track threat actor evolution through industry ISACs
IOCs and Detection Guidance
Active IOCs (Cleo Campaign - February 2025)
IP Addresses to Block/Monitor:
| IP Address | Classification |
|---|---|
| 185.181.230.103 | Scanning Host |
| 181.214.147.164 | Attacker IP (PowerShell) |
| 176.123.5.126 | Attacker IP (PowerShell) |
| 5.149.249.226 | Attacker IP (PowerShell) |
| 209.127.12.38 | Attacker IP (PowerShell) |
| 192.119.99.42 | Attacker IP (PowerShell) |
| 176.123.10.115 | Scanning Host |
| 185.162.128.133 | C2 Server |
| 45.182.189.102 | Cobalt Strike Server |
| 89.248.172.139 | Suspected IOC |
| 103.140.62.43 | Suspected IOC |
| 146.190.133.67 | Suspected IOC |
| 162.240.110.250 | Suspected IOC |
| 213.136.77.58 | Suspected IOC |
File Hash (Clop Ransomware):
- MD5:
31e0439e6ef1dd29c0db6d96bac59446
MOVEit LEMURLOOT Hashes:
- SHA256:
3a977446ed70b02864ef8cfa3135d8b134c93ef868a4cc0aa5d3c2a74545725b - SHA256:
cf23ea0d63b4c4c348865cefd70c35727ea8c82ba86d56635e488d816e60ea45
Malicious Domains:
- hiperfdhaus[.]com
- jirostrogud[.]com
- qweastradoc[.]com
- connectzoomdownload[.]com
- zoom[.]voyage
MITRE ATT&CK Mapping
Key techniques for detection engineering:
| Tactic | Technique | Detection Focus |
|---|---|---|
| Initial Access | T1190 | Web application firewall logs, file transfer platform anomalies |
| Execution | T1059.001 | PowerShell logging, script block logging |
| Persistence | T1505.003 | Web shell detection, new files in web directories |
| Defense Evasion | T1070.001 | Event log clearing detection |
| Defense Evasion | T1562.001 | Security tool tampering alerts |
| Exfiltration | T1567 | Unusual outbound data volumes |
| Impact | T1490 | VSS deletion monitoring |
Detection Rules
Sigma rule for shadow copy deletion (pre-encryption indicator):
title: VSS Deletion via vssadmin
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'vssadmin'
- 'Delete'
- 'Shadows'
condition: selection
level: high
File transfer platform web shell indicators:
- New .aspx files in MOVEit web directories (/wwwroot/)
- Files mimicking legitimate names (human2.aspx vs human.aspx)
- PHP files in unexpected Accellion FTA paths
- Files with execute permissions appearing in web-accessible directories
- Unusual file creation during off-hours on production systems
Conclusion: Persistent Threat, Persistent Response
Clop has demonstrated remarkable resilience through law enforcement actions, public attribution, and industry-wide defensive improvements. Their evolution from phishing-based ransomware to zero-day exploitation represents the maturation of cybercriminal operations into strategic, long-term enterprises.
The February 2026 activity surge underscores Clop's operational model: identify vulnerabilities in widely-deployed enterprise software, develop exploitation tools, then execute coordinated campaigns that compromise hundreds of organizations simultaneously. By the time most defenders detect the breach, exfiltration is complete.
For security teams managing enterprise file transfer platforms, the risk assessment is straightforward: these systems are high-value targets for one of the world's most capable ransomware operations. The critical question isn't whether vulnerabilities exist—it's whether your organization can identify and remediate exposure before the next exploitation campaign begins.
Seven years since their first appearance, Clop shows no signs of operational decline. Defenders must match that persistence.
This threat intelligence report was compiled from CISA advisories, MITRE ATT&CK documentation, security vendor research from Trend Micro, CYFIRMA, SentinelOne, and Mandiant, and ongoing breach disclosure monitoring.
