Clop Ransomware group claims the hack of Harvard University

Clop (aka Cl0p) is a prolific Russian-speaking ransomware-as-a-service group specializing in big-game hunting and double-extortion.

The Clop ransomware group first appeared on the threat landscape around February 2019, emerging from the TA505 cybercrime group, a financially motivated gang active since at least 2014.

Like other Russia-based threat actors, Clop avoids targets in former Soviet countries and its malware can’t be activated on a computer that operates primarily in Russian.

Operators and affiliates identify high-value targets, steal sensitive data, encrypt networks, then publish stolen files on data-leak sites to pressure victims into paying. Clop exploits zero-days and vulnerable third-party software (e.g., MOVEit, GoAnywhere, Oracle EBS), leverages initial-access brokers and automation, and uses sophisticated evasion and lateral-movement techniques to maximize impact and monetization.

Clop’s victims include Shell, British Airways, Bombardier, University of Colorado, PwC, and the BBC.

The group conducted major campaigns including:

• MOVEit Transfer (2023): One of the largest ransomware campaigns in history, impacting hundreds of companies worldwide, including US and European firms, through an SQL injection zero-day (CVE-2023-34362).
• Accellion FTA (2020–2021): Exploited a zero-day in the file-transfer appliance to steal data from ~100 organizations.
• GoAnywhere MFT (2023): Targeted a flaw (CVE-2023-0669) to compromise over 130 organizations.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Harward)