Cl0p Ransomware: Indicators of Compromise, Victims & Defense

fingerprintDossier

Active since: 2019
Origin / attribution: Russia-speaking actors linked to TA505/FIN11
Known aliases: CL0P, TA505 affiliate
Common initial access: Mass exploitation of managed-file-transfer zero-days (MOVEit 2023, GoAnywhere 2023, Accellion 2020, Cleo 2024)
TTPs & tradecraft: Skips encryption on many breaches; pure data theft + leak-site extortion.
Notes: Expect Cl0p only where public MFT products are internet-exposed without fast patching.

publicTop countries hit

United States423

Canada53

United Kingdom26

Australia24

Germany23

India15

France14

Japan14

factoryTop sectors targeted

Not Found239

Technology147

Transportation/Logistics68

Consumer Services65

Manufacturing64

Business Services34

Agriculture and Food Production28

Healthcare26

historyRecent named victims

AIGHEALTHCARE.IN

IN · Healthcare · 30 Mar 2026

CLOUD.CLEARWAYGROUP.COM

Technology · 30 Mar 2026

DAD.CO.TH

TH · Not Found · 14 Feb 2026

THEMORTGAGEFIRM.COM

US · Financial Services · 14 Feb 2026

FISHWINDOWCLEANING.COM

US · Business Services · 14 Feb 2026

SOLUTIONSINSAFETY.COM

Business Services · 14 Feb 2026

BOYDEN.COM

US · Not Found · 14 Feb 2026

CFDT.FR

FR · Not Found · 14 Feb 2026

SPOHNASSOCIATES.COM

US · Technology · 14 Feb 2026

GARNERGROUP.NET

Not Found · 14 Feb 2026

THEPERPETUAL.COM

US · Technology · 14 Feb 2026

AIGBUSINESS.COM

Financial Services · 14 Feb 2026

HYDEPARKUMC.ORG

US · Education · 14 Feb 2026

GIACARE.COM

US · Healthcare · 14 Feb 2026

GIASPACE.COM

US · Technology · 14 Feb 2026

Sourced from open leak-site monitoring · Generated 20 Apr 2026

shield_lockCl0p defense checklist

check_circleEnforce phishing-resistant MFA on every VPN, remote desktop, email, and SaaS admin account.

check_circlePatch perimeter gear (VPN, firewall, file-transfer, hypervisor) within 72 hours of vendor advisories.

check_circleSegment ESXi management from domain accounts; disable vSphere SSH unless in use.

check_circleTier admin credentials — no shared local-admin, rotate break-glass accounts monthly.

check_circleDeploy EDR across servers & DCs; alert on Rclone, WinSCP, MegaCmd, and suspicious PowerShell.

check_circleImmutable, offline backups tested quarterly with measured RTO/RPO.

check_circleBlock outbound on unused ports; restrict egress to vetted CDNs and update servers.

check_circleHunt for dropped vulnerable drivers used to kill EDR (BYOVD patterns).

check_circleRun an annual tabletop modelled on Cl0p's latest playbook.

check_circleHave an IR retainer identified before you need it.

Worried Cl0p will land on you?

We run focused VAPT, ransomware-readiness reviews, and purple-team exercises tuned to the playbook this crew actually uses.

Book a scope call