TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

GuidePoint Security

The Economics of Clop’s Zero-Day Campaigns: Why Mass Exploitation Isn’t Paying Off

Justin Timothy · 2026-03-04 · Read original ↗

ATT&CK techniques detected

11 predictions
T1190Exploit Public-Facing Application
99%
"over 350 organizations were named on clop ’ s data leak site throughout the year. clop again exploited the unrestricted file upload and download zero - day vulnerability cve - 2024 - 50623, gaining “ write ” privileges on cleo appliances before executing powershell commands to em…"
T1190Exploit Public-Facing Application
98%
"access to mfta environments via a zero - day vulnerability. this time, the group was able to achieve remote code execution ( rce ) via exploitation of the command injection vulnerability cve - 2023 - 0669. despite claiming to have impacted more than 130 victims on their dark web …"
T1486Data Encrypted for Impact
98%
"vulnerability brokers at premium prices or investing in the specialized expertise required for in - house development. the encryption advantage : comparing clop to akira we recently analyzed ransom payments for the two most active groups of 2025, qilin and akira, in our annual gr…"
T1657Financial Theft
96%
"dark web chat site operated by the threat actor. based on our interactions with the group following this campaign, clop exfiltrated substantial amounts of data — in one instance claiming multiple terabytes. the ransom demands matched the high volumes of data. some initial extorti…"
T1190Exploit Public-Facing Application
90%
"their campaigns leading to a score of victim claims on their data leak site. while clop can point to impressive victim counts and data volumes, their extortion - only approach inflicts less operational harm than ransomware variants that encrypt systems and force business shutdown…"
T1486Data Encrypted for Impact
85%
"- terabyte datasets from hundreds of organizations verifying data integrity and relevance for each victim negotiating with dozens of potential targets sustaining infrastructure capable of hosting and seeding terabytes of stolen data via torrents. most ransomware victims — clop ’ …"
T1486Data Encrypted for Impact
83%
"payment. because of these factors, in most circumstances, paying solely for data suppression may not be advisable in ransomware attacks – clop ’ s or otherwise. looking ahead clop may continue their current approach of exploiting zero - days at scale for limited returns. the data…"
T1486Data Encrypted for Impact
68%
"their campaigns leading to a score of victim claims on their data leak site. while clop can point to impressive victim counts and data volumes, their extortion - only approach inflicts less operational harm than ransomware variants that encrypt systems and force business shutdown…"
T1486Data Encrypted for Impact
63%
"the economics of clop ’ s zero - day campaigns : why mass exploitation isn ’ t paying off march 4, 2026 what is this about? clop, also known as “ cl0p ”, is a data extortion group that has operated since 2019. it has long been something of an outlier among its peers. although the…"
T1486Data Encrypted for Impact
60%
"##ware group with encryption capabilities. their pivot to data - theft - only operations, although having enabled rapid, large - scale exploitation, has resulted in significantly diminished financial returns compared to groups that maintain encryption - based leverage. although w…"
T1657Financial Theft
39%
"##ware group with encryption capabilities. their pivot to data - theft - only operations, although having enabled rapid, large - scale exploitation, has resulted in significantly diminished financial returns compared to groups that maintain encryption - based leverage. although w…"

Summary

2025 shattered many cyber attack and threat records. Get the details in the 2026 GRIT Ransomware and Cyber Threat Report.