Concinnity Risks

From Zero-Day to Payday: Inside Clop’s Strategy and How to Defend Your Business

Blog Author
Clop's name against a black background with a intruder graphic below it

Threat Actor Spotlight (TAS) is our blog series that examines ransomware groups’ tactics, techniques, and procedures (TTPs), victimology, and recent campaigns with the ultimate goal of providing you with clear, actionable steps to prevent attacks.

This edition we will look at Clop as they have been the most active over the past 30 days as shown in the chart below.

Why should we care about Clop?

Clop goes way back. It was first observed in February 2019 and their name takes various spellings: ‘Cl0p’ (spelled with a zero), ‘clop’, ‘CL0P’

They’ve also been known by several aliases:

  • ‘Sangria Tempest’
  • ‘TA505’
  • ‘CHIMBORAZO’
  • ‘Hive0065’
  • ‘Lace Tempest’
  • ‘FANCYCAT’
  • ‘Graceful Spider’
  • ‘Gold Tahoe’
  • ‘FIN11’
  • ‘DEV-0950’
  • ‘Carbon Spider’
  • ‘Gold Evergreen’
  • ‘Gold Waterfall’
  • ‘Spandex Tempest’

They are one of the longest running ransomware groups and have continued their activity into 2026. Understanding what they do, how they do it and who they target is essential to protecting your organisation, regardless of size or industry.

As of writing, Clop has claimed the most victims this year, behind Qilin, who we profiled in a previous TAS piece.

Bar chart showing number of incidents in 2026 by threat actor
Source: https://www.ransomware.live/stats

Clop are what cybersecurity professionals call a “big game hunter.” They target major corporations and government agencies. Increasingly, however, they are focusing on small and medium-sized businesses in high-value sectors such as technology, manufacturing, construction, and professional services.

Bar chart of sectors Clop targets

They are most active in the United States, Canada, United Kingdom, and Australia.

Map showing countries where Clop victims are located

How Clop compromises

Clop targets enterprise systems that handle sensitive data and are widely used by established businesses. Often this is done by exploiting a known weakness in the software, but Clop has an established history of using what’s known as a zero-day vulnerability (0-day). These are software weaknesses that are exploited before either the vendor is aware of the vulnerability or before a fix is released.

Here are a few of Clop’s notable 0-days:

Oracle E-Business Suite

Google Threat Intelligence Group and Mandiant observed activity indicating that Clop had been exploiting CVE-2025-61882, which was published in October 2025, since 9 August 2025 and possibly in July of that year. The full analysis is available here.

Progress Software MOVEit

Software that handles file transfer and storage is a goldmine for ransomware groups. On 27 May 2023, Cl0p exploited a zero-day vulnerability (CVE-2023-34362) in Progress Software’s MOVEit product. Clop pivoted its strategy from data encryption to data exfiltration and extortion. While backups can help an organisation recover from a ransomware attack that encrypts files, it does not protect an organisation from sensitive data being leaked on the dark web. This vulnerability gave Clop another lever to pull when demanding ransoms from organisations. The MOVEit attack also illustrates the supply chain risk that makes Cl0p so dangerous. Many victims weren’t direct MOVEit customers but they were compromised because a vendor or service provider they worked with used MOVEit.

Other vulnerabilities Clop has exploited in the past:

CVE-2024-21762, CVE-2024-21412, CVE-2024-0204, CVE-2023-4966, CVE-2023-49103, CVE-2023-36025, CVE-2023-3284, CVE-2023-22527, CVE-2023-20269, CVE-2022-47966

Cleo software attack

Following the MOVEit exploit, Clop honed in on another file transfer vendor, Cleo. Two vulnerabilities (CVE-2024-55956 and CVE-2024-50623) were exploited; and, in January and February of 2025, Clop announced hundreds of victims on its leak site. This campaign is capture in a timeline published by Black Kite.

Practical Steps to Protect Your Business

While all of this might sound alarming, most successful ransomware attacks succeed not because of sophisticated hacking, but because of preventable security gaps.

The organisations that fare best aren’t necessarily those with the biggest IT budgets. They’re the ones that have implemented fundamental security practices and made cybersecurity a business priority.

You don’t need to become a cybersecurity expert to significantly reduce your risk. Here are the most effective protections you can implement:

1. Keep Your Software Updated

When your software vendors release security updates, apply them promptly, especially for business-critical systems like file transfer tools, enterprise resource planning platforms, and customer relationship management software.

Establish a policy that critical security patches are applied within 72 hours of release. For smaller organisations, consider managed IT services that handle this automatically.

2. Implement Strong Backup Practices

If attackers encrypt or steal your data, clean backups allow you to restore operations without paying a ransom. Apply and rehearse the 3-2-1-1-0 rule: Keep three copies of your data, on two different types of storage media, with one copy stored offsite or in the cloud, one copy offline or immutable (can’t be altered), and zero errors when you test your recovery process.

When an incident is in progress, many organisations discover their backups don’t work. The rehearsal step is critical. Test your backups regularly.

3. Require Multi-Factor Authentication (MFA)

Multi-factor authentication means requiring two or more forms of verification before granting access to systems, typically something you know (password) plus something you have (a code sent to your phone).

This step blocks the vast majority of credential-based attacks. Even if hackers steal employee passwords, they can’t access your systems without the second authentication factor.

4. Train Your Team

Your employees are your first line of defence. Human error remains the number one cause of successful cyberattacks, accounting for the entry point in most ransomware incidents.

Effective training includes:

  • How to identify phishing emails and suspicious links
  • Procedures for verifying unexpected requests for sensitive information
  • Who to contact if something seems off
  • Regular, short, engaging sessions (not just annual compliance training)

5. Segment Your Network

Network segmentation means dividing your network into separate zones so that if attackers breach one area, they can’t automatically access everything. This limits how far attackers can move through your systems if they gain initial access.

6. Monitor Vendor Security

Clop’s specialty is attacking through widely-used business software. You need to know what software your organisation uses and whether vendors are maintaining strong security practices.

Some actionable steps you can take are:

  • Maintain an inventory of all third-party software and services
  • Ensure you receive security alerts from all critical vendors
  • Have a process for quickly applying vendor security updates

7. Develop an Incident Response Plan

Having a clear plan before an incident occurs allows you to respond quickly and effectively, minimising damage and downtime.

Your plan should include:

  • Who makes decisions during a cybersecurity incident
  • How to isolate infected systems to prevent spread
  • Communication procedures (internal teams, customers, regulators, media)
  • Step-by-step recovery procedures
  • Contact information for cybersecurity experts, legal counsel, and law enforcement

8. Consider Cyber Insurance

Cyber insurance has become an essential component of comprehensive risk management. A good policy can help cover costs associated with ransomware attacks, including forensic investigation, legal fees, notification costs, credit monitoring for affected individuals, regulatory fines, and business interruption losses.

Insurers increasingly require organisations to demonstrate basic cybersecurity practices (like MFA and regular backups) before providing coverage.

Special Considerations for High-Risk Industries

If your organisation operates in manufacturing, retail, transportation, healthcare, or education (Cl0p’s most frequently targeted sectors) consider these additional precautions:

  • Conduct regular security assessments of your most critical systems
  • Implement zero-trust security principles, which assume that threats could come from anywhere and verify every access request
  • Consider working with a Managed Security Service Provider (MSSP) for continuous monitoring and threat detection
  • Participate in industry information-sharing groups to learn about threats targeting your sector

While Cl0p represents a serious and evolving threat, protection is achievable. None of these measures is perfect on its own, but together they create layers of defence that make your organisation a much harder target, and criminals like Clop generally move on to easier targets.

Categories:

Latest Posts

Categories

Tags