CLOP

RANSOMWARE

CLOP ransomware primarily targets organizations that use vulnerable managed file transfer and secure FTP products such as SolarWinds Serv-U Managed File Transfer Server, Accellion FTA, and Progress Software MOVEit Transfer. The group typically exploits publicly exposed applications to gain initial access, often leveraging critical vulnerabilities like CVE-2021-35211 with a CVSS score of 10.0. Once inside, CLOP employs double extortion tactics, exfiltrating data before encrypting it and demanding ransom payments. This group is distinctive for its focus on high-severity vulnerabilities in specific vendor products rather than widespread phishing campaigns or indiscriminate network scanning.

CLOP's technical footprint includes a reliance on critical CVEs affecting managed file transfer systems, indicating a preference for RCE (remote code execution) and authentication bypass vulnerabilities. The group’s use of valid accounts and native API techniques suggests a level of sophistication that enables them to maintain persistence and evade detection while moving laterally within networks. Defenders should prioritize patching known vulnerabilities in their managed file transfer products and implementing strict access controls to mitigate the risk of initial compromise through exploitation.

CISA Intelligence #StopRansomware

#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability · 2023-06-07

Staying Secure at Eventsno-cost Cyber ServicesSecure by design Secure Your BusinessReport A Cyber Issue

Close Topics Topics Cybersecurity Best Practices Cyber Threats and Response Critical Infrastructure Security and Resilience Election Security Emergency Communications Industrial Control Systems Information and Communications Technology Supply Chain Security Partnerships and Collaboration Physical Security Risk Management How can we help? GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities Spotlight Resources & Tools Resources & Tools All Resources & Tools Services Programs Resources Training Groups News & Events News & Events Directives News Events Cybersecurity Alerts & Advisories Request a CISA Speaker Congressional Testimony CISA Conferences CISA Live! Careers Careers Benefits & Perks Hiring and Recruitment New Employee Orientation & Onboarding Students & Recent Graduates Veteran and Military Spouses About About Divisions & Offices Regions Leadership Doing Business with CISA Site Links CISA GitHub CISA Central Contact Us Subscribe Transparency and Accountability Policies & Plans Staying Secure at Eventsno-cost Cyber ServicesSecure by design Secure Your BusinessReport A Cyber Issue

Take an inventory of assets and data, identifying authorized and unauthorized devices and software.

Confirmed CVEs (7)

Exploited by this group as confirmed by threat intelligence sources.

CVE-2021-35211 CRITICAL SolarWinds Serv-U Managed File Transfer Server and Serv-U Secured FTP 10.0 CVE-2024-55956 CRITICAL Cleo Multiple Products 9.8 CVE-2021-27101 CRITICAL Accellion FTA 9.8 CVE-2025-61882 CRITICAL Oracle Corporation Oracle Concurrent Processing 9.8 CVE-2023-34362 CRITICAL Progress MOVEit Transfer 9.8 CVE-2023-27350 CRITICAL PaperCut NG 9.8 CVE-2023-0669 HIGH Fortra Goanywhere MFT 7.2

Predicted CVEs (14) CORRELATION

How does prediction work?

Predicted CVEs are identified through automated correlation using multiple sources: vendor/product profiles historically targeted by the group (MITRE ATT&CK), attack chain patterns (KEV + TTPs), threat intelligence (MISP, STIX), and AI analysis. These CVEs have not been confirmed as exploited by this specific group, but have a high probability of being targets based on the actor's operational profile.

CVE-2021-35211 CRITICAL SolarWinds Serv-U Managed File Transfer Server and Serv-U Secured FTP predicted 10.0 CVE-2024-55956 CRITICAL Cleo Multiple Products predicted 9.8 CVE-2024-50623 CRITICAL Cleo Multiple Products predicted 9.8 CVE-2023-34362 CRITICAL Progress MOVEit Transfer predicted 9.8 CVE-2023-27350 CRITICAL PaperCut NG predicted 9.8 CVE-2021-27103 CRITICAL Accellion FTA predicted 9.8 CVE-2021-27104 CRITICAL Accellion FTA predicted 9.8 CVE-2021-27101 CRITICAL Accellion FTA predicted 9.8 CVE-2024-50623 CRITICAL Cleo Multiple Products low 9.8 CVE-2025-61882 CRITICAL Oracle Corporation Oracle Concurrent Processing predicted 9.8 CVE-2022-21587 CRITICAL Oracle Corporation Web Applications Desktop Integrator predicted 9.8 CVE-2025-10035 CRITICAL Fortra GoAnywhere MFT predicted 9.8 CVE-2025-61884 HIGH Oracle Corporation Oracle Configurator predicted 7.5 CVE-2023-0669 HIGH Fortra Goanywhere MFT predicted 7.2

ATT&CK Techniques (31)

T1078 Valid accounts Initial Access T1190 Exploit public-facing application Initial Access T1566.001 Phishing: Spear-phishing attachment Initial Access T1059 Command and scripting interpreter Execution T1106 Native API Execution T1204 User execution Execution T1543.003 Create or modify system process: Windows service Persistence T1547 Boot or logon autostart execution Persistence T1068 Exploitation for privilege escalation Privilege Escalation T1484.001 Domain Policy modification: Group Policy modification Privilege Escalation T1574 Hijack execution flow Privilege Escalation T1036.001 Masquerading: invalid code signature Defense Evasion T1055.001 Process injection: DLL injection Defense Evasion T1070.001 Indicator removal on host: clear Windows event logs Defense Evasion T1070.004 Indicator removal on host: file deletion Defense Evasion T1140 Deobfuscate/Decode files or information Defense Evasion T1202 Indirect command execution Defense Evasion T1562.001 Impair defenses: disable or modify tools Defense Evasion T1012 Query registry Discovery T1018 Remote system discovery Discovery T1057 Process discovery Discovery T1063 Security software discovery Discovery T1082 System information discovery Discovery T1083 File and directory discovery Discovery T1021.002 Remote services: SMB/Windows admin shares Lateral Movement T1570 Lateral tool transfer Lateral Movement T1005 Data from local system Collection T1567 Exfiltration over web service Exfiltration T1071 Application Layer Protocol Command and Control T1486 Data encrypted for impact Impact T1490 Inhibit system recovery Impact