Ransomware Group intelligence

Cl0p

Active

Track Cl0p with 1261 published victims, 3 known leak locations, 7 exploited vulnerabilities, and 31 mapped TTPs in a single intelligence view.

Clop Cl0p ransomware Cl0p ransomware group
Victims 1261 Known published victims in this dataset
First discovered 2020-03-13 Earliest victim discovery date
Last discovered 2026-05-01 Latest victim discovery date
Inactive since 78 days Days since the latest known victim
Top country United States 432 victims
Known locations 3 Leak or negotiation infrastructure tracked
Tracked sectors 5 Sector intelligence currently available

Overview

The ransomware group known as Cl0p is a variant of the previously tracked CryptoMix strain. Early Cl0p activity was linked to financially motivated operations attributed to TA505, including phishing campaigns observed in 2019.

Those campaigns commonly relied on macro-enabled documents that deployed the Get2 loader. Once initial access was established, operators moved into reconnaissance, lateral movement, and data exfiltration before deploying ransomware across the victim environment.

After execution, Cl0p variants have been observed appending extensions such as .clop, .CIIp, .Cllp, and .C_L_O_P. Associated ransom notes have included filenames like ClopReadMe.txt, README_README.txt, Cl0pReadMe.txt, and READ_ME_!!!.TXT.

The operation later shifted from phishing-led delivery to intrusion campaigns centered on exploiting vulnerabilities in internet-facing enterprise software and managed file transfer products.

Top Countries

Interactive distribution based on the currently visible victims list.

Top Countries
Distribution

    Known Leak Locations (3)

    Label Type Availability Links
    Leak location 1 Onion service Unknown ekbgzchl6x2ias37.onion
    Leak location 2 Onion service Unknown santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion
    Leak location 3 Onion service Unknown toznnag5o3ambca56s2yacteu7q7x2avrfherzmz4nmujrjuib4iusad.onion

    Top Activity Sectors (5)

    1. Technology146
    2. Transportation/Logistics68
    3. Consumer Services65
    4. Manufacturing64
    5. Business Services34

    Ransom Notes (4)

    AAA_READ_AAA.TXT Details_Cleo.txt clop1.txt clop2.txt

    YARA Rules (1)

    clop.yar

    Research Sources

    Vulnerabilities Exploited (7)

    This information is provided by the curated intelligence profile for this group.

    Vendor Product CVE Source
    Accellion File Transfer Appliance CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104 mandiant.com
    Cleo VLTrader, Harmony, LexiCom CVE-2024-55956 huntress.com
    Fortra GoAnywhere Managed File Transfer CVE-2023-0669 censys.io
    Oracle E-Business Suite CVE-2025-61882 crowdstrike.com
    Progress Software MOVEit CVE-2023-34362 cisa.gov
    PaperCut Application Server CVE-2023-27350, CVE-2023-27351 twitter.com/MsftSecIntel
    SolarWinds Serv-U FTP CVE-2021-35211 research.nccgroup.com

    TTPs Matrix (11)

    Mapped ATT&CK-style behaviors associated with this group.

    Initial Access

    Phishing: Spear-phishing attachment Exploit public-facing application Valid accounts

    Execution

    Native API Command and scripting interpreter User execution

    Persistence

    Boot or logon autostart execution Create or modify system process: Windows service

    Privilege Escalation

    Domain Policy modification: Group Policy modification Exploitation for privilege escalation Hijack execution flow

    Defense Evasion

    Masquerading: invalid code signature Impair defenses: disable or modify tools Deobfuscate/decode files or information Indicator removal on host: file deletion Process injection: DLL injection Indirect command execution Indicator removal on host: clear Windows event logs

    Discovery

    File and directory discovery Remote system discovery Process discovery System information discovery Query registry Security software discovery

    Lateral Movement

    Lateral tool transfer Remote services: SMB/Windows admin shares

    Collection

    Data from local system

    Command and Control

    Application Layer Protocol

    Exfiltration

    Exfiltration over web service

    Impact

    Data encrypted for impact Inhibit system recovery

    Victims (1261)

    Search, filter and paginate the victim timeline for Cl0p. Showing 101–200 of 1261.

    Type Target Discovered Country Business Category Intel Link
    Ransomware WILDRIDGELANDSCAPE.COM id25790 View details United States Services
    Ransomware MODTECH.CA id25789 View details Canada IT
    Ransomware INSPYRSOLUTIONS.COM id25788 View details United States Services
    Ransomware CLEARWAYGROUP.COM id25787 View details Hong Kong Services
    Ransomware EXCELAS1.COM id25786 View details United States Healthcare / Pharma
    Ransomware ECA-USA.COM id25785 View details United States Other
    Ransomware WARRANTYFIRST.CO.UK id25784 View details United Kingdom Communication / Marketing
    Ransomware TOMLLAWYERS.COM id25783 View details Germany Finance / Legal / Insurance
    Ransomware INTEGROY.COM id25782 View details Other
    Ransomware ITROBOTICS.COM id25781 View details United States Other
    Ransomware MONTALBAARCHITECTS.COM id25780 View details United States Communication / Marketing
    Ransomware EASTPLATS.COM id25779 View details Canada Manufacturing / Engineering
    Ransomware AERIFY.IO id25778 View details United States IT
    Ransomware BAQUS.CO.UK id25777 View details United Kingdom Other
    Ransomware SMITHDALIA.COM id25776 View details United States Other
    Ransomware ELKAIR.COM id25775 View details Egypt Other
    Ransomware KOROLFINANCIAL.COM id25774 View details Finance / Legal / Insurance
    Ransomware TRUSTPAYMENTS.COM id25773 View details United Kingdom Services
    Ransomware BRINKS.CO.NZ id25772 View details New Zealand Communication / Marketing
    Ransomware MCMATHLAW.COM id25771 View details United States Finance / Legal / Insurance
    Ransomware WORKFORCESOFTWARE.COM id25770 View details United States IT
    Ransomware KCDWORLDWIDE.COM id25769 View details United States Communication / Marketing
    Ransomware ONYXEQUITIES.COM id25768 View details United States Construction / Real Estate
    Ransomware BUREAUX.FR id25767 View details France Services
    Ransomware INTEGRITEK.NET id25766 View details United States Services
    Ransomware CENTAURPRODUCTS.COM id25765 View details Canada Communication / Marketing
    Ransomware MUTTI-PARMA.COM id25386 View details Italy Communication / Marketing
    Ransomware CPJ.ORG id25385 View details United States Communication / Marketing
    Ransomware BORING.COM id25384 View details United States Other
    Ransomware KOEL.CO.IN id24892 View details India Agriculture / Food
    Ransomware HCMSPARTNERS.COM id24117 View details United States Other
    Ransomware DMC-ME.COM id24116 View details United Arab Emirates Other
    Ransomware MSG.COM id24115 View details Communication / Marketing
    Ransomware INTELLINUM.COM id24114 View details United States IT
    Ransomware KNEXTECH.COM id24113 View details United States IT
    Ransomware ANYWHERE.RE id24112 View details Réunion Construction / Real Estate
    Ransomware GOLDSTARPENS.COM id24111 View details United States IT
    Ransomware NEWLINECLOUD.COM id24110 View details United States IT
    Ransomware NAMA.OM id24109 View details Oman Other
    Ransomware NORTHEASTERNCORP.COM id24108 View details Services
    Ransomware AQM.COM.SA id24107 View details Saudi Arabia Other
    Ransomware MACYS.COM id24106 View details United States Retail / E-commerce
    Ransomware HYPERTHERM.COM id24105 View details United States Construction / Real Estate
    Ransomware KOREANAIRCND.COM id24104 View details Korea, Republic of Other
    Ransomware INTEROIL.COM.CO id24103 View details Colombia Energy
    Ransomware INVENTIVE-IT.COM id24102 View details United Kingdom Other
    Ransomware MAFAS.COM id24101 View details Other
    Ransomware VIPAPPSCONSULTING.COM id24100 View details Services
    Ransomware ZAIN.COM id24099 View details Kuwait Telecommunications
    Ransomware ACRONI.SI id24098 View details Slovenia Manufacturing / Engineering
    Ransomware EIGHTEENPK.COM id24097 View details Pakistan Other
    Ransomware IBIZSOFTINC.COM id24096 View details United States Communication / Marketing
    Ransomware LEGACYCLASSIC.COM id24095 View details United States Communication / Marketing
    Ransomware AOSOM.COM id24094 View details United States Communication / Marketing
    Ransomware INCENTIVECONCEPTS.COM id24093 View details United States Retail / E-commerce
    Ransomware ALASEEL.COM.SA id24092 View details Saudi Arabia Other
    Ransomware GREENBALL.COM id24083 View details United States Communication / Marketing
    Ransomware SUMITOMOCHEMICAL.COM id24082 View details Japan Manufacturing / Engineering
    Ransomware MICHELIN.COM id24081 View details France Manufacturing / Engineering
    Ransomware WELLBIZBRANDS.COM id24080 View details United States Education
    Ransomware DOONEY.COM id24079 View details United States Retail / E-commerce
    Ransomware BROADCOM.COM id24078 View details United States Communication / Marketing
    Ransomware ENVOY.COM id24077 View details United States IT
    Ransomware A10NETWORKS.COM id24076 View details United States Telecommunications
    Ransomware RIDERTA.COM id24075 View details United States Public Sector
    Ransomware TREETGROUP.COM id24074 View details Pakistan Construction / Real Estate
    Ransomware PHOENIX.EDU id24073 View details United States Education
    Ransomware LLPRODUCTS.COM id24072 View details United States Communication / Marketing
    Ransomware WORLEY.COM id24071 View details Australia Communication / Marketing
    Ransomware MAZDAUSA.COM id24070 View details United States Retail / E-commerce
    Ransomware FLEETSHIP.COM id24069 View details India Services
    Ransomware ALSHAYA.COM id24068 View details Kuwait Healthcare / Pharma
    Ransomware ELCOMPANIES.COM id24067 View details United States Retail / E-commerce
    Ransomware BECHTEL.COM id24066 View details United States Communication / Marketing
    Ransomware GRUPOBIMBO.COM id24065 View details Mexico Communication / Marketing
    Ransomware TRANETECHNOLOGIES.COM id24064 View details United States IT
    Ransomware CANON.COM id24063 View details Japan Communication / Marketing
    Ransomware MASHOLDINGS.COM id24062 View details Sri Lanka Transportation / Travel / Logistics
    Ransomware MAZDA.COM id24061 View details Japan Communication / Marketing
    Ransomware ABBOTT.COM id24060 View details United States Healthcare / Pharma
    Ransomware HUMANA.COM id24059 View details United States Healthcare / Pharma
    Ransomware FRONTROL.COM id24058 View details Poland Communication / Marketing
    Ransomware FRUIT.COM id24057 View details Transportation / Travel / Logistics
    Ransomware ALJOMAIHAUTO.COM id24056 View details Saudi Arabia Retail / E-commerce
    Ransomware AVAILINFRA.COM id24055 View details Other
    Ransomware GARLANDISDSCHOOLS.NET id24054 View details United States Education
    Ransomware BELFUSE.COM id24053 View details United States Communication / Marketing
    Ransomware RFSUNY.ORG id24052 View details United States Communication / Marketing
    Ransomware TULANE.EDU id24051 View details United States Other
    Ransomware LIFEFITNESS.COM id24050 View details United States Education
    Ransomware ELKAY.COM id24049 View details United States Services
    Ransomware ENOVIS.COM id24048 View details United States Other
    Ransomware NCH.COM id24047 View details United States IT
    Ransomware CYTIVALIFESCIENCES.COM id24046 View details Sweden Healthcare / Pharma
    Ransomware COMPANIES-GROUP-4 id24045 View details Services
    Ransomware COMPANIES-GROUP-3 id24044 View details Services
    Ransomware COMPANIES-GROUP-2 id24043 View details Services
    Ransomware COMPANIES-GROUP-1 id24042 View details Services
    Ransomware ENTRUST.COM id23876 View details United States IT
    Ransomware PENS.COM id23875 View details United States Communication / Marketing