In an era marked by an increase in digital threats, it’s vital to understand how sophisticated cybercriminal syndicates like “Clop” can impact the financial sector.


The International Compliance Association (ICA) is a professional membership and awarding body. ICA is the leading global provider of professional, certificated qualifications in anti-money laundering; governance, risk, and compliance; and financial crime prevention. ICA members are recognized globally for their commitment to best compliance practice and an enhanced professional reputation. To find out more, visit the ICA website.

Recognized as the architects behind the recent MOVEit data-theft assaults, Clop has drawn significant attention, underlining its continuous menace to enterprises globally.

Clop is identified within the industry for its associations with entities such as “Lace Tempest,” “TA505,” and “FIN11.” These groups employ advanced ransomware strategies, utilizing malicious software that holds systems hostage until a demanded ransom is met, inflicting severe disruption and financial loss.

The group’s latest strike leveraged an undiscovered vulnerability—termed a “zero-day vulnerability”—within MOVEit Transfer servers, triggering extensive data breaches in hundreds of global companies. The group cunningly exploited the holiday season, capitalizing on decreased staff presence to operate incognito.

If a company denies the ransom demand, Clop retaliates by publishing the stolen confidential information on its data leak site. It seems the syndicate is pausing its extortion efforts temporarily, scouring the pilfered data for particularly valuable pieces that could potentially command higher ransoms.

Shifting tactics

Traditionally rooted in ransomware campaigns, Clop appears to be transitioning toward data-theft extortion, a tactic involving the theft of sensitive data and subsequent threats of public exposure unless the ransom is met.

Prominent victims of the MOVEit data theft are already emerging. Zellis, a U.K. payroll and human resources solutions provider, acknowledged a data breach stemming from Clop’s activities impacting many of its clients. Other impacted businesses include Aer Lingus and British Airways, both confirming their involvement in the Zellis breach.

Clop’s recent operations exploited vulnerabilities in MOVEit’s managed file transfer solutions the group could have been eyeing since 2021, according to analysis from Kroll, raising substantial concerns for all businesses. Over the past three years, Clop has gained notoriety for executing high-profile attacks on global enterprises across various sectors. By deploying intricate extortion techniques, the group accumulated an estimated total of $500 million in illegal proceeds by November 2021.

Even after the arrest of six group members in June 2021 by a global coalition, Clop’s criminal operations show no signs of stopping. Thus, a proactive cybersecurity posture is an absolute necessity for businesses worldwide.

Prevention strategies

So, how can financial sector businesses fortify themselves against such threats?

  • Asset management: Understand your company’s assets and data, identifying both authorized and unauthorized devices and software.
  • Constant monitoring: Maintain active surveillance of network ports, protocols, and services and enforce robust security configurations on your network infrastructure devices.
  • Configurations: Exercise stringent control over hardware and software configurations and restrict admin privileges to essential personnel only.
  • Vulnerability management: Conduct regular vulnerability assessments and stay abreast of the latest patches and updates for your systems.
  • Data protection: Implement strong data protection measures, including secure backup and recovery procedures. Enable multi-factor authentication for an added layer of security.
  • Automation: Leverage advanced technologies such as artificial intelligence and machine learning for early detection of attacks and use sandbox analysis to filter malicious emails. Always keep security solutions updated.
  • Training: Regularly educate your employees on security protocols. Perform red-team exercises and penetration tests to expose potential weaknesses.

In a nutshell, the threat posed by the Clop group and similar cybercriminals is real and persistent. But by staying informed, keeping abreast of the latest cybersecurity strategies, and implementing robust security measures, businesses can substantially mitigate the risk of these cyberattacks.

Paul Dwyer is chief executive officer of Cyber Risk International.

The International Compliance Association is a sister company to Compliance Week. Both organizations are under the umbrella of Wilmington plc.

Editor’s note: This story was updated June 28 to include reference and a link to analysis from Kroll regarding Clop’s activity affecting MOVEit.