Threat Intelligence Tarot
pentacles · 1
Criminal (Russian-speaking)
G0092★★★★★
risk 5/5
✦ The Silent Toll ✦
Cl0p
TA505 (overlap) · CLOP ransomware group
Enterprise file transfer usersMOVEit usersGoAnywhere usersHealthcareFinance
Active since ~2019 · Mass exploitation of file transfer vulnerabilities, Data extortion, Zero-day weaponization
The Silent Toll discovered that every enterprise uses file transfer software. Every enterprise has a file transfer vulnerability. It finds them first, exploits them all at once, and charges a toll on every file that crossed the wire. The scale is industrial - millions of victims from a single zero-day.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆MOVEit zero-day exploitation - 2,000+ organizations, 62M+ individuals (2023)
- ◆GoAnywhere MFT zero-day - 130+ organizations (2023)
- ◆Accellion FTA zero-day campaign - financial and government sectors (2021)
- ◆Shell, BBC, British Airways, NHS data breaches via MOVEit
Defenses
- ▸Managed file transfer software patching and emergency response SLACIS Control 7 ↗
- ▸Network segmentation isolating MFT systems from sensitive data storesCIS Control 12 ↗
- ▸Data classification to limit what MFT systems can accessCIS Control 3 ↗
- ▸Incident response plan for mass data breach notificationNIST CSF: RS.CO ↗
Reversed: Their Weakness
Cl0p's mass exploitation approach creates its own limitations: so many victims notified simultaneously overwhelmed its negotiation capacity, many organizations opted for notification over payment, and the sheer scale attracted coordinated international law enforcement action.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.