Executive summary

Cl0p is a financially motivated operation linked to TA505/FIN11 (Microsoft: Lace Tempest) that excels at mass exploitation of file-transfer and edge apps to steal data at scale—often without deploying an encryptor. Landmark campaigns include Accellion FTA (2020–21), GoAnywhere MFT (CVE-2023-0669), MOVEit Transfer (CVE-2023-34362, “LEMURLOOT” web shell), SysAid (CVE-2023-47246), and Cleo MFT flaws (late-2024) with victim leaks continuing into 2025. CISA+1Google CloudQuorum CyberGreenbone

Who/what is Cl0p (model, links, scale)

• Attribution & ecosystem. U.S./allied gov’t and vendors tie the MOVEit/GoAnywhere/Accellion waves to TA505/Lace Tempest (FIN11) operating the Cl0p extortion site. CISAHHS.gov

• Tradecraft shift. Since 2021 Cl0p often favors data-theft-only (“name-and-shame”) over classic crypto-locking, then emails executives and posts to their leak site. CISA

• 2024–25: After Cleo MFT zero-days, new leak pages and threats appeared through Jan 2025; MOVEit legal fallout (e.g., Nuance class-action settlement approvals in Aug 2025) underscores long-tail risk. BankInfoSecurityZeroFoxThe HIPAA Journal

Timeline of major supply-chain/style campaigns

• Accellion FTA (2020–21): multi-zero-day exploitation; DEWMODE web shell → data theft & extortion. Google Cloud

• GoAnywhere MFT (Jan 2023): CVE-2023-0669 mass abuse; ~130 orgs impacted in 10 days, mostly exfil-only. CISA

• MOVEit Transfer (May–Jun 2023): CVE-2023-34362 SQLi → LEMURLOOT (human2.aspx) → DB access, admin creation, Azure settings theft; Cl0p posted a broad extortion notice. CISARapid7

• SysAid (Nov 2023): CVE-2023-47246 path traversal/RCE exploited by Lace Tempest in intrusions attributed to Cl0p. Quorum CyberThe HIPAA Journal

• Cleo Harmony/VLTrader/LexiCom (Q4 2024 → 2025): critical RCE flaws exploited; Cl0p threatened to out victims; new leak pages observed Jan 2025. GreenboneField EffectBankInfoSecurity

Attack chain (MITRE ATT&CK highlights)

Initial access — TA0001

• Zero-day / N-day exploitation of MFT/ITSM appliances (MOVEit, GoAnywhere, Accellion FTA, SysAid, Cleo). CISA+1Quorum Cyber

Execution & discovery — TA0002/TA0007

• Web shells (LEMURLOOT, DEWMODE) for DB queries, file pulls, admin creation on the appliance. CISA

Exfiltration & extortion — TA0010

• Rapid archive & exfil from the edge platform, then email + leak-site pressure; in MOVEit, Cl0p demanded victims contact them by specific deadlines. CISARapid7

Impact — TA0040

• Historically uses .clop/.CI_0_P etc., but many 2023–25 campaigns skip encryption entirely (data-theft-only). MimecastMicrosoftCISA

Artifacts & indicators (focus on behaviors over hashes)

• MOVEit web-shelling: presence of human2.aspx, requests with header X-siLock-Comment; anomalous queries to MOVEit APIs; new admin with “Health Check Service” name. CISA

• GoAnywhere: extortion emails referencing CVE-2023-0669 and file inventories captured from the MFT (per FBI/CISA). CISA

• Cleo/SysAid: sudden process launches and outbound connections from those servers following patch-lag windows (CVE-2024-50623/55956; CVE-2023-47246). GreenboneHuntressQuorum Cyber

Detection & hunting quick wins

Edge/MFT telemetry

• WAF/Proxy rules for known MOVEit indicators (unexpected human2.aspx, suspicious POSTs to MOVEit endpoints; auth header anomalies). CISA

• Alert on new admin creation on MOVEit named/aliased “Health Check Service.” CISA

• SysAid/Cleo: watch for web-to-shell sequences and archives departing those hosts; baseline and alert on large outbound transfers. Quorum CyberGreenbone

Enterprise

• If Cl0p does pivot inside: look for Truebot → FlawedGrace/Cobalt Strike, PsExec staging, and RAR+SFTP/HTTP egress to new ASNs. CISA

Mitigation priorities (that actually cut risk)

1. Patch/harden the edge first — Progress MOVEit, Fortra GoAnywhere, SysAid, Cleo (apply vendor versions; disable public access where possible; IP allowlists & WAF). community.progress.comNVDSysAidGreenbone

2. Compensating controls — short-term geo/IP allowlists, MFA on vendor consoles, service accounts rotation after upgrades. CISA

3. Exfil choke points — DLP/egress policies for archive-then-exfil from MFT/ITSM servers; restrict SFTP/HTTP POST from those hosts. CISA

4. IR readiness — pre-draft comms for mass notification; know legal exposure (MOVEit lawsuits/settlements continue in 2025). BankInfoSecurityThe Register

Rapid response playbook (print-friendly)

1. Contain: geofence/disable affected appliance; revoke/rotate creds; block outbound from that host.

2. Preserve: snapshot VM; collect appliance logs, WAF, proxy, and any DB access records.

3. Hunt: look for web-shell artifacts (LEMURLOOT/DEWMODE), new admin accounts, and archive & exfil patterns. CISA

4. Eradicate: patch to vendor-fixed versions; remove shells/users; rotate secrets tied to the platform. community.progress.com

5. Recover & notify: validate integrity, restore from clean backups if needed; coordinate breach notifications and regulator reporting as required. CISA

Sources & further reading

• FBI/CISA #StopRansomware — CL0P exploits MOVEit (LEMURLOOT) (deep IOCs/ATT&CK). CISA

• NVD — GoAnywhere MFT pre-auth RCE, CVE-2023-0669. NVD

• Mandiant/Google Cloud — MOVEit mass exploitation timeline & analysis. Google Cloud

• SysAid CVE-2023-47246 — vendor & analyst write-ups linking exploitation to Lace Tempest/Cl0p. SysAidKroll

• Cleo MFT wave (late-2024 → 2025) — exploitation + leak-site pressure. GreenboneBankInfoSecurity

• Ransomware.Live / Barracuda — background, extensions, and financial scale context. ransomware.liveBarrcuda Blog

#CyberDudeBivash #Cl0p #TA505 #FIN11 #LaceTempest #MOVEit #GoAnywhere #SysAid #Cleo #DoubleExtortion #SupplyChain #MITREATTACK #DFIR #XDR #ThreatIntel