1. Home
  2. Software
  3. Rclone

Rclone

Rclone is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. Rclone has been used in a number of ransomware campaigns, including those associated with the Conti and DarkSide Ransomware-as-a-Service operations.[1][2][3][4][5]

ID: S1040
Type: TOOL
Platforms: Linux, Windows, macOS
Contributors: Edward Millington; Ian McKay
Version: 1.2
Created: 30 August 2022
Last Modified: 14 October 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Rclone can compress files using gzip prior to exfiltration.[1]
Enterprise T1030 Data Transfer Size Limits

The Rclone "chunker" overlay supports splitting large files in smaller chunks during upload to circumvent size limits.[1][5]
Enterprise T1048 .002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Rclone can exfiltrate data over SFTP or HTTPS via WebDAV.[1]
.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Rclone can exfiltrate data over FTP or HTTP, including HTTP via WebDAV.[1]
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Rclone can exfiltrate data to cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA.[1][5]
Enterprise T1083 File and Directory Discovery

Rclone can list files and directories with the ls, lsd, and lsl commands.[1]

Groups That Use This Software

ID Name References
G1015 Scattered Spider

[6]

G1051 Medusa Group

Medusa Group has leveraged Rclone to exfiltrate data from victim environments.[7][8]
G1053 Storm-0501

Storm-0501 has utilized Rclone for data exfiltration.[9]
G1032 INC Ransom

[10]
G1003 Ember Bear

Ember Bear has used Rclone to exfiltrate information from victim environments.[11]
G1024 Akira

[12]
G1021 Cinnamon Tempest

[13]

Campaigns

ID Name Description
C0015 C0015

[5]

References

  1. Nick Craig-Wood. (n.d.). Rclone syncs your files to cloud storage. Retrieved August 30, 2022.
  2. Justin Schoenfeld and Aaron Didier. (2021, May 4). Rclone Wars: Transferring leverage in a ransomware attack. Retrieved August 30, 2022.
  3. Aaron Greetham. (2021, May 27). Detecting Rclone – An Effective Tool for Exfiltration. Retrieved August 30, 2022.
  4. Ramarcus Baylor. (2021, May 12). DarkSide Ransomware Gang: An Overview. Retrieved August 30, 2022.
  5. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  6. Mandiant Incident Response. (2025, May 6). Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. Retrieved October 13, 2025.
  7. Cybersecurity and Infrastructure Security Agency. (2025, March 12). AA25-071A #StopRansomware: Medusa Ransomware. Retrieved October 15, 2025.
  1. Threat Hunter Team Symantec and Carbon Black. (2025, March 6). Medusa Ransomware Activity Continues to Increase. Retrieved October 15, 2025.
  2. Microsoft Threat Intelligence. (2024, September 26). Storm-0501: Ransomware attacks expanding to hybrid cloud environments. Retrieved October 19, 2025.
  3. Carvey, H. (2024, May 1). LOLBin to INC Ransomware. Retrieved June 5, 2024.
  4. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  5. Steven Campbell, Akshay Suthar, & Connor Belfiorre. (2023, July 26). Conti and Akira: Chained Together. Retrieved February 20, 2024.
  6. Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.