Threat Intelligence Tarot
pentacles · 1
Criminal (Russian-speaking)
G0092
risk 5/5
The Silent Toll
Cl0p
TA505 (overlap) · CLOP ransomware group
Enterprise file transfer usersMOVEit usersGoAnywhere usersHealthcareFinance
Active since ~2019 · Mass exploitation of file transfer vulnerabilities, Data extortion, Zero-day weaponization
The Silent Toll discovered that every enterprise uses file transfer software. Every enterprise has a file transfer vulnerability. It finds them first, exploits them all at once, and charges a toll on every file that crossed the wire. The scale is industrial - millions of victims from a single zero-day.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1190
Exploit Public-Facing Application
Initial Access
T1485
Data Destruction
Impact
T1486
Data Encrypted for Impact
Impact
T1567
Exfiltration Over Web Service
Exfiltration
T1657
Financial Theft
Impact
T1068
Exploitation for Privilege Escalation
Privilege Escalation
Notable Operations
  • MOVEit zero-day exploitation - 2,000+ organizations, 62M+ individuals (2023)
  • GoAnywhere MFT zero-day - 130+ organizations (2023)
  • Accellion FTA zero-day campaign - financial and government sectors (2021)
  • Shell, BBC, British Airways, NHS data breaches via MOVEit
Defenses
Reversed: Their Weakness
Cl0p's mass exploitation approach creates its own limitations: so many victims notified simultaneously overwhelmed its negotiation capacity, many organizations opted for notification over payment, and the sheer scale attracted coordinated international law enforcement action.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Latin BladeNext →The Dark Dividend
Related Adversaries
The Auction House
RansomHub
3 shared TTPs
The Rebrand
BlackMatter
3 shared TTPs
The Dark Dividend
DarkSide
3 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.