CLOP
CLOP ransomware primarily targets organizations that use vulnerable managed file transfer and secure FTP products such as SolarWinds Serv-U Managed File Transfer Server, Accellion FTA, and Progress Software MOVEit Transfer. The group typically exploits publicly exposed applications to gain initial access, often leveraging critical vulnerabilities like CVE-2021-35211 with a CVSS score of 10.0. Once inside, CLOP employs double extortion tactics, exfiltrating data before encrypting it and demanding ransom payments. This group is distinctive for its focus on high-severity vulnerabilities in specific vendor products rather than widespread phishing campaigns or indiscriminate network scanning.
CLOP's technical footprint includes a reliance on critical CVEs affecting managed file transfer systems, indicating a preference for RCE (remote code execution) and authentication bypass vulnerabilities. The group’s use of valid accounts and native API techniques suggests a level of sophistication that enables them to maintain persistence and evade detection while moving laterally within networks. Defenders should prioritize patching known vulnerabilities in their managed file transfer products and implementing strict access controls to mitigate the risk of initial compromise through exploitation.
CISA Intelligence #StopRansomware
#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability · 2023-06-07
Staying Secure at Eventsno-cost Cyber ServicesSecure by design Secure Your BusinessReport A Cyber Issue
Close Topics Topics Cybersecurity Best Practices Cyber Threats and Response Critical Infrastructure Security and Resilience Election Security Emergency Communications Industrial Control Systems Information and Communications Technology Supply Chain Security Partnerships and Collaboration Physical Security Risk Management How can we help? GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities Spotlight Resources & Tools Resources & Tools All Resources & Tools Services Programs Resources Training Groups News & Events News & Events Directives News Events Cybersecurity Alerts & Advisories Request a CISA Speaker Congressional Testimony CISA Conferences CISA Live! Careers Careers Benefits & Perks Hiring and Recruitment New Employee Orientation & Onboarding Students & Recent Graduates Veteran and Military Spouses About About Divisions & Offices Regions Leadership Doing Business with CISA Site Links CISA GitHub CISA Central Contact Us Subscribe Transparency and Accountability Policies & Plans Staying Secure at Eventsno-cost Cyber ServicesSecure by design Secure Your BusinessReport A Cyber Issue
Take an inventory of assets and data, identifying authorized and unauthorized devices and software.
Confirmed CVEs (7)
Exploited by this group as confirmed by threat intelligence sources.
Predicted CVEs (14) CORRELATION
How does prediction work?
Predicted CVEs are identified through automated correlation using multiple sources: vendor/product profiles historically targeted by the group (MITRE ATT&CK), attack chain patterns (KEV + TTPs), threat intelligence (MISP, STIX), and AI analysis. These CVEs have not been confirmed as exploited by this specific group, but have a high probability of being targets based on the actor's operational profile.