Cl0p Ransomware Group: The Evolution from Encryption to Pure Data Theft

The Three Major Cl0p Campaigns

Cl0p's evolution can be traced through three campaigns, each targeting managed file transfer (MFT) platforms used by thousands of enterprises. Each campaign refined the model: identify a zero-day in widely deployed file transfer software, exploit it at mass scale before patches exist, exfiltrate data from hundreds of organisations simultaneously, then extort victims individually. The efficiency is remarkable — Cl0p built automated exploitation infrastructure that could compromise and extract data from hundreds of targets in days.

• December 2020 — Accellion FTA: Cl0p exploited four zero-day vulnerabilities in Accellion's legacy File Transfer Appliance. Victims included Bombardier, Qualys, Jones Day, and the Reserve Bank of New Zealand. Approximately 100 organisations affected.
• January 2023 — GoAnywhere MFT: CVE-2023-0669 allowed remote code execution on Fortra's GoAnywhere platform. Cl0p claimed 130+ victims including Hitachi Energy, Procter & Gamble, and Community Health Systems (1 million patient records).
• May 2023 — MOVEit Transfer: CVE-2023-34362 enabled mass exploitation of Progress Software's platform. 2,600+ organisations affected including BBC, British Airways, Shell, and the US Department of Energy. The largest single data theft event in history.

Why Cl0p Abandoned Encryption

Traditional ransomware encryption has three significant disadvantages that Cl0p recognised early. First, encryption triggers endpoint detection and response (EDR) tools — the file system activity is noisy and distinctive. Second, encryption requires the victim to have no viable backup restoration path, which increasingly they do. Third, encryption demands are binary — the victim either pays for the key or doesn't. Data theft extortion is more flexible: Cl0p can threaten partial publication, set deadlines, negotiate publicly, and create cascading pressure through media coverage. The stolen data retains its extortion value indefinitely, whereas encryption leverage disappears the moment the victim restores from backup.

The File Transfer Attack Surface

Cl0p's consistent targeting of managed file transfer platforms reveals a systemic vulnerability in enterprise architecture. MFT platforms sit at the boundary between organisations, handling sensitive data transfers between business partners, regulators, and internal departments. They are internet-facing by design, process sensitive data by function, and are often managed by operations teams rather than security teams. Many organisations deployed these platforms years ago and have not subjected them to the same security scrutiny as their primary web applications. Cl0p identified this blind spot and exploited it repeatedly.

• MFT platforms are internet-facing by design — they must accept inbound connections
• They process the most sensitive data in the organisation — contracts, payroll, KYC, medical records
• Many deployments are legacy — running on appliances with infrequent patching cycles
• Security teams often lack visibility into MFT data flows and access patterns
• A single MFT vulnerability grants access to data from hundreds of connected organisations

Defending Against Cl0p-Style Data Theft

Defending against Cl0p requires accepting that perimeter security and endpoint detection are necessary but insufficient. When the vulnerability is in a trusted file transfer platform, the malicious activity looks identical to normal operations until data begins leaving for unauthorised destinations. BlackFog's anti-data exfiltration technology addresses this specific gap by monitoring all outbound data flows and blocking transfers to destinations that are not on an approved whitelist. Even when an attacker has exploited a zero-day in a file transfer platform, the bulk exfiltration of data to Cl0p's infrastructure would be blocked at the network layer. This transforms a mass data theft event into a contained exploitation incident with no data loss.

Frequently Asked Questions