Cybercrime high Eastern Europe (likely Russia/Ukraine)

Cl0p

Russian-speaking cybercrime group · Financial — ransomware and extortion

Reports 1

Active Since 2019

Last Reported 29 Apr 2026

Sectors Targeted transport

Tactics, Techniques & Procedures (TTPs)

Mass exploitation of file transfer vulnerabilities (MOVEit, GoAnywhere, Accellion)
Data exfiltration and double-extortion
Supply chain targeting via MFT software
Minimal dwell time — fast exfil before encryption
Public shaming via leak site

Known Targets

Global financial servicesHealthcare and pharmaGovernment agenciesTransport and logisticsUniversities and research

Analyst Notes

Specialises in zero-day exploitation of managed file transfer (MFT) software, compromising hundreds of organisations simultaneously. Believed to be affiliated with or emerged from TA505.

Also Known As

TA505FIN11 (partial overlap)DEV-0950

Intelligence Reports

Briefing transport

Cl0p Exploiting File Transfer Vulnerabilities Across Transport and Logistics Sector

The Cl0p ransomware group is mass-exploiting a newly disclosed vulnerability in a widely used managed file transfer platform. Several European freight and logistics operators have been impacted, with customs and supply chain data exfiltrated.

29 Apr 2026 · 3 min read