Skip to content
CBCyber Breaches
Search

Campaign

Cl0p mass-exploitation campaign

2020–active · active

Multi-year Cl0p / TA505 operation exploiting zero-days in managed-file-transfer (MFT) products to mass-extort thousands of organisations: Accellion FTA (2020), GoAnywhere MFT (2023), MOVEit Transfer (2023), Cleo (2024).

The Cl0p mass-exploitation campaign is a multi-year Russian-speaking criminal operation that has weaponised zero-day vulnerabilities in managed-file-transfer (MFT) software to extort thousands of organisations across four distinct waves. The operation — attributed by the threat-intelligence community to the Cl0p / TA505 / FIN11 cluster — has produced the largest cumulative ransomware revenue of any single criminal operation in the modern era.

Each wave follows a consistent operational pattern: zero-day in a widely-deployed MFT product, mass exploitation against every exposed instance, pure data extortion (no encryption) with public-leak-site pressure.

The four waves

Wave 1: Accellion FTA (December 2020 – February 2021)

The first MFT-zero-day campaign. Cl0p exploited multiple vulnerabilities in Accellion's File Transfer Appliance (FTA) — an end-of-life product still widely deployed at legal, healthcare, and government organisations. ~100 organisations were breached including:

  • Kroger (U.S. supermarket chain)
  • Jones Day (law firm)
  • Trinity Health (healthcare)
  • Stanford University Medical School
  • University of Colorado
  • Reserve Bank of New Zealand
  • Australian Securities and Investments Commission

The Accellion wave established the operational template Cl0p would refine across subsequent campaigns.

Wave 2: GoAnywhere MFT (January – February 2023)

Cl0p exploited CVE-2023-0669, a remote code execution vulnerability in Fortra's GoAnywhere Managed File Transfer. Approximately 130 organisations were breached including:

  • Hatch Bank
  • Hitachi Energy
  • Procter & Gamble
  • Community Health Systems (CHS)
  • U.S. Treasury Department Office of Inspector General

Wave 3: MOVEit Transfer (May 2023 – ongoing)

MOVEit Cl0p 2023. The largest wave. Cl0p exploited CVE-2023-34362, a SQL injection zero-day in Progress Software's MOVEit Transfer. Approximately 2,700 organisations were breached, with downstream impact on ~95 million individuals. Notable named victims included BBC, British Airways, Boots, Aer Lingus, Shell, Sony, Deloitte, EY, PwC, U.S. Department of Energy, Johns Hopkins University, Maximus.

Wave 4: Cleo Harmony / VLTrader / LexiCom (October 2024 – ongoing)

Most recent at time of writing. Cl0p exploited CVE-2024-50623 and CVE-2024-55956 in Cleo's MFT product suite. Approximately 66 organisations confirmed breached as of early 2025, including Hertz, HP Inc., Western Alliance Bank, and multiple U.S. state government agencies.

Operational pattern

The Cl0p MFT campaign has refined a consistent playbook across waves:

  1. Identify a managed-file-transfer product with significant enterprise deployment and concentrated trust (MFT products are typically used to transfer the most sensitive data between organisations).
  2. Develop a zero-day in the product's web-facing administrative interface — usually SQL injection or authentication bypass.
  3. Conduct internet-scale exploitation during a brief window, typically over a long weekend or holiday to maximise dwell time before patching.
  4. Deploy a webshell for persistent post-exploitation access.
  5. Exfiltrate everything reachable — entire databases of files in transit, plus customer authentication material that may enable downstream attacks.
  6. Mass-publish on the Cl0p leak site with deadlines, demanding individual ransom payments per victim. No encryption: the operation has fully transitioned to pure data extortion.

The operation's preference for pure extortion over encryption distinguishes it from most other major ransomware operations. The economic argument: encryption-recovery has improved enough (better backup hygiene, more decryptor recovery operations) that the leverage value of encryption has declined, while data-leak pressure remains undiminished.

Component incidents

Other waves (Accellion, GoAnywhere, Cleo) are not separately catalogued at incident scale.

Why it matters

The Cl0p MFT campaign established:

  • That managed-file-transfer products are systemic-risk infrastructure. MFT vendors handle the most sensitive data movements across the enterprise economy, and their security is a leveraged-blast-radius concern equivalent to identity providers or major SaaS platforms.
  • That pure data extortion is operationally viable at scale. Cl0p has demonstrated multi-billion-dollar criminal revenue from data-leak pressure alone.
  • That multi-wave campaigns are now a sustained criminal-operational model. The same actor, the same tactics, repeated against different products over years — a campaign-level pattern that requires campaign-level analytic framing.
  • That operational discipline by criminal operators can extend over years. Cl0p has maintained the same operational signature across four waves without compromising operator OPSEC sufficiently for U.S. law enforcement to identify named individuals — distinguishing it from REvil, LockBit, and Conti, all of which produced named-individual attributions.

The operation remains active at the time of writing. The next MFT zero-day cycle is widely expected by threat-intelligence analysts.

Component incidents (1)