Ransomware Group intelligence

Cl0p

Active

Track Cl0p with 1261 published victims, 3 known leak locations, 7 exploited vulnerabilities, and 31 mapped TTPs in a single intelligence view.

Clop Cl0p ransomware Cl0p ransomware group
Victims 1261 Known published victims in this dataset
First discovered 2020-03-13 Earliest victim discovery date
Last discovered 2026-05-01 Latest victim discovery date
Inactive since 78 days Days since the latest known victim
Top country United States 432 victims
Known locations 3 Leak or negotiation infrastructure tracked
Tracked sectors 5 Sector intelligence currently available

Overview

The ransomware group known as Cl0p is a variant of the previously tracked CryptoMix strain. Early Cl0p activity was linked to financially motivated operations attributed to TA505, including phishing campaigns observed in 2019.

Those campaigns commonly relied on macro-enabled documents that deployed the Get2 loader. Once initial access was established, operators moved into reconnaissance, lateral movement, and data exfiltration before deploying ransomware across the victim environment.

After execution, Cl0p variants have been observed appending extensions such as .clop, .CIIp, .Cllp, and .C_L_O_P. Associated ransom notes have included filenames like ClopReadMe.txt, README_README.txt, Cl0pReadMe.txt, and READ_ME_!!!.TXT.

The operation later shifted from phishing-led delivery to intrusion campaigns centered on exploiting vulnerabilities in internet-facing enterprise software and managed file transfer products.

Top Countries

Interactive distribution based on the currently visible victims list.

Top Countries
Distribution

    Known Leak Locations (3)

    Label Type Availability Links
    Leak location 1 Onion service Unknown ekbgzchl6x2ias37.onion
    Leak location 2 Onion service Unknown santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion
    Leak location 3 Onion service Unknown toznnag5o3ambca56s2yacteu7q7x2avrfherzmz4nmujrjuib4iusad.onion

    Top Activity Sectors (5)

    1. Technology146
    2. Transportation/Logistics68
    3. Consumer Services65
    4. Manufacturing64
    5. Business Services34

    Ransom Notes (4)

    AAA_READ_AAA.TXT Details_Cleo.txt clop1.txt clop2.txt

    YARA Rules (1)

    clop.yar

    Research Sources

    Vulnerabilities Exploited (7)

    This information is provided by the curated intelligence profile for this group.

    Vendor Product CVE Source
    Accellion File Transfer Appliance CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104 mandiant.com
    Cleo VLTrader, Harmony, LexiCom CVE-2024-55956 huntress.com
    Fortra GoAnywhere Managed File Transfer CVE-2023-0669 censys.io
    Oracle E-Business Suite CVE-2025-61882 crowdstrike.com
    Progress Software MOVEit CVE-2023-34362 cisa.gov
    PaperCut Application Server CVE-2023-27350, CVE-2023-27351 twitter.com/MsftSecIntel
    SolarWinds Serv-U FTP CVE-2021-35211 research.nccgroup.com

    TTPs Matrix (11)

    Mapped ATT&CK-style behaviors associated with this group.

    Initial Access

    Phishing: Spear-phishing attachment Exploit public-facing application Valid accounts

    Execution

    Native API Command and scripting interpreter User execution

    Persistence

    Boot or logon autostart execution Create or modify system process: Windows service

    Privilege Escalation

    Domain Policy modification: Group Policy modification Exploitation for privilege escalation Hijack execution flow

    Defense Evasion

    Masquerading: invalid code signature Impair defenses: disable or modify tools Deobfuscate/decode files or information Indicator removal on host: file deletion Process injection: DLL injection Indirect command execution Indicator removal on host: clear Windows event logs

    Discovery

    File and directory discovery Remote system discovery Process discovery System information discovery Query registry Security software discovery

    Lateral Movement

    Lateral tool transfer Remote services: SMB/Windows admin shares

    Collection

    Data from local system

    Command and Control

    Application Layer Protocol

    Exfiltration

    Exfiltration over web service

    Impact

    Data encrypted for impact Inhibit system recovery

    Victims (1261)

    Search, filter and paginate the victim timeline for Cl0p. Showing 1201–1261 of 1261.

    Type Target Discovered Country Business Category Intel Link
    Ransomware KSSARCHITECTS.COM id5013 View details Other
    Ransomware NFT.CO.UK id5012 View details United Kingdom Other
    Ransomware UTILITYTRAILER.COM id5011 View details Energy
    Ransomware AUROBINDO.COM id5010 View details Healthcare / Pharma
    Ransomware FOODLAND.COM id5009 View details Agriculture / Food
    Ransomware NIPRO.COM id5008 View details Japan Communication / Marketing
    Ransomware PNCPA.COM id5007 View details Other
    Ransomware SHELL.COM id5006 View details Other
    Ransomware STANFORD.EDU id5005 View details United States Education
    Ransomware MIAMI.EDU id5004 View details United States Education
    Ransomware COLORADO.EDU id5003 View details United States Education
    Ransomware FLAGSTAR.COM id5002 View details Other
    Ransomware BOMBARDIER.COM id5001 View details Hospitality / Food & Beverage / Tourism
    Ransomware JONESDAY.COM id5000 View details Other
    Ransomware DANAHER.COM id4999 View details Other
    Ransomware SINGTEL.COM id4998 View details Telecommunications
    Ransomware SYMRISE.COM id4997 View details Agriculture / Food
    Ransomware ELANDRETAIL.COM id4996 View details Retail / E-commerce
    Ransomware PARKLAND.CA id4995 View details Canada Other
    Ransomware SOFTWAREAG.COM id4994 View details IT
    Ransomware INDIABULLS.COM id4993 View details India Finance / Legal / Insurance
    Ransomware EXECUPHARM.COM id4992 View details Other
    Ransomware SGS-LAW.COM id4991 View details Finance / Legal / Insurance
    Ransomware RFF.ORG id4990 View details Healthcare / Pharma
    Ransomware BOUTINEXPRESS.COM id4989 View details Communication / Marketing
    Ransomware SIUMED.EDU id4988 View details United States Healthcare / Pharma
    Ransomware TRAVELSTORE.COM id4987 View details Transportation / Travel
    Ransomware DURHAM.CA id4986 View details Canada Other
    Ransomware UNIVERSITYOFCALIFORNIA.EDU id4985 View details United States Education
    Ransomware UMD.EDU id4984 View details United States Education
    Ransomware YU.EDU id4983 View details United States Education
    Ransomware MARNELLCOMPANIES.COM id4982 View details Construction / Real Estate
    Ransomware RACETRAC.COM id4981 View details Other
    Ransomware EDAG.COM id4980 View details Manufacturing / Engineering
    Ransomware WRIGHT.COM id4979 View details Healthcare / Pharma
    Ransomware QUALYS.COM id4978 View details Other
    Ransomware MMOSER.COM id4977 View details Other
    Ransomware KINZE.COM id4976 View details Other
    Ransomware NOWFOODS.COM id4975 View details Agriculture / Food
    Ransomware CSX.COM id4974 View details Services
    Ransomware CSAGROUP.ORG id4973 View details Services
    Ransomware TRANSPORT.NSW.GOV.AU id4972 View details Australia Transportation / Travel / Logistics
    Ransomware CGG.COM id4971 View details IT
    Ransomware STERIS.COM id4970 View details Other
    Ransomware PENTAIR.COM id4969 View details Other
    Ransomware FUGRO.COM id4968 View details Services
    Ransomware EAGLE.ORG id4967 View details Transportation / Travel / Logistics
    Ransomware THE7STARS.CO.UK id4966 View details United Kingdom Other
    Ransomware AMEY.CO.UK id4965 View details United Kingdom Communication / Marketing
    Ransomware NOVABIOMEDICAL.COM id4964 View details Healthcare / Pharma
    Ransomware ALLSTATEPETERBILT.COM id4963 View details Public Sector
    Ransomware PRETTL.COM id4962 View details Communication / Marketing
    Ransomware NETZSCH.COM id4961 View details Other
    Ransomware PROMINENT.COM id4960 View details Communication / Marketing
    Ransomware PLANATOL.DE id4959 View details Germany Other
    Ransomware TWL.DE id4958 View details Germany Communication / Marketing
    Ransomware INRIX.COM id4957 View details Transportation / Travel / Logistics
    Ransomware Symrise AG id547 View details Germany Other
    Ransomware E-Land Retailer id527 View details Retail / E-commerce
    Ransomware Software AG id492 View details Germany IT
    Ransomware ExecuPharm id340 View details United States Other