Accenture Global Cyber Response team will review findings of cases where the cl0p ransomware group stole data from several organizations using vulnerabilities in Managed File Transfer (MFT) services. The presentation will focus on the MOVEit MFT related SQLi vulnerability, which was disclosed in May 2023. Before public disclosure, cl0p was already actively exploiting the vulnerability. By exploiting the vulnerability, cl0p gained access to the MFT application and exfiltrated all data stored in the application. This presentation presents the activities of the ransomware group, a timeline from reconnaissance to exfiltration, and an analysis of the backdoor used by the attacker. Global Cyber Response team will use investigation notes from real incident response investigations and make recommendations for organizations using MFT applications to minimize the risk in the future.