S1040 Rclone
Rclone is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. Rclone has been used in a number of ransomware campaigns, including those associated with the Conti and DarkSide Ransomware-as-a-Service operations.43152
| Item | Value |
|---|---|
| ID | S1040 |
| Associated Names | |
| Type | TOOL |
| Version | 1.2 |
| Created | 30 August 2022 |
| Last Modified | 14 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | Rclone can compress files using gzip prior to exfiltration.4 |
| enterprise | T1030 | Data Transfer Size Limits | The Rclone “chunker” overlay supports splitting large files in smaller chunks during upload to circumvent size limits.42 |
| enterprise | T1048 | Exfiltration Over Alternative Protocol | - |
| enterprise | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Rclone can exfiltrate data over SFTP or HTTPS via WebDAV.4 |
| enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Rclone can exfiltrate data over FTP or HTTP, including HTTP via WebDAV.4 |
| enterprise | T1567 | Exfiltration Over Web Service | - |
| enterprise | T1567.002 | Exfiltration to Cloud Storage | Rclone can exfiltrate data to cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA.42 |
| enterprise | T1083 | File and Directory Discovery | Rclone can list files and directories with the ls, lsd, and lsl commands.4 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1015 | Scattered Spider | 6 |
| G1051 | Medusa Group | Medusa Group has leveraged Rclone to exfiltrate data from victim environments.78 |
| G1053 | Storm-0501 | Storm-0501 has utilized Rclone for data exfiltration.9 |
| G1032 | INC Ransom | 10 |
| G1003 | Ember Bear | Ember Bear has used Rclone to exfiltrate information from victim environments.11 |
| G1024 | Akira | 12 |
| G1021 | Cinnamon Tempest | 13 |
References
-
Aaron Greetham. (2021, May 27). Detecting Rclone – An Effective Tool for Exfiltration. Retrieved August 30, 2022. ↩
-
DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. ↩↩↩
-
Justin Schoenfeld and Aaron Didier. (2021, May 4). Rclone Wars: Transferring leverage in a ransomware attack. Retrieved August 30, 2022. ↩
-
Nick Craig-Wood. (n.d.). Rclone syncs your files to cloud storage. Retrieved August 30, 2022. ↩↩↩↩↩↩↩
-
Ramarcus Baylor. (2021, May 12). DarkSide Ransomware Gang: An Overview. Retrieved August 30, 2022. ↩
-
Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025. ↩
-
Cybersecurity and Infrastructure Security Agency. (2025, March 12). AA25-071A #StopRansomware: Medusa Ransomware. Retrieved October 15, 2025. ↩
-
Threat Hunter Team Symantec and Carbon Black. (2025, March 6). Medusa Ransomware Activity Continues to Increase. Retrieved October 15, 2025. ↩
-
Microsoft Threat Intelligence. (2024, September 26). Storm-0501: Ransomware attacks expanding to hybrid cloud environments. Retrieved October 19, 2025. ↩
-
Carvey, H. (2024, May 1). LOLBin to INC Ransomware. Retrieved June 5, 2024. ↩
-
US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024. ↩
-
Steven Campbell, Akshay Suthar, & Connor Belfiorre. (2023, July 26). Conti and Akira: Chained Together. Retrieved February 20, 2024. ↩
-
Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023. ↩