clop

79 total attacksRank #310.4% share8 sectors targeted10 countries

ACTIVITY OVER TIME

TOTAL ATTACKS

REPORTS APPEARED IN

GLOBAL RANK

ATTACK SHARE

10.4%

GROUP PROFILE

Cl0p continues operating as one of the most established and financially successful RaaS platforms, with 79 attacks this period demonstrating their strategic evolution toward high-value technology and financial services targets. The group maintains their signature approach of leveraging T1190 exploitation of public-facing applications, particularly targeting supply chain vulnerabilities as evidenced by their recent Oracle E-Business Suite campaign that generated massive enterprise extortion campaigns. Their double extortion model combines data theft with traditional encryption, using T1021.002 SMB-based lateral movement to maximize data exfiltration before deploying ransomware payloads. Cl0p's estimated $500M+ earnings from supply chain attacks underscore their preference for high-impact, multi-victim campaigns that generate maximum return on investment, making them particularly dangerous to organizations with extensive vendor ecosystems.

MITRE ATT&CK — KILL CHAIN

Initial Access

T1190Exploit Public-Facing Application

T1566.001Spearphishing Attachment

Execution

T1059.001PowerShell

T1204.002Malicious File

Persistence

T1547.001Registry Run Keys

Privilege Escalation

T1068Exploitation for Privilege Escalation

Defense Evasion

T1562.001Disable or Modify Tools

T1036Masquerading

Credential Access

T1003OS Credential Dumping

Discovery

T1083File and Directory Discovery

Lateral Movement

T1021.002SMB/Windows Admin Shares

Collection

T1005Data from Local System

T1560Archive Collected Data

Exfiltration

T1567.002Exfiltration to Cloud Storage

Impact

T1486Data Encrypted for Impact

T1489Service Stop

11 TACTICS|16 TECHNIQUES|Click technique IDs for MITRE ATT&CK details

TARGETED SECTORS

TARGETED COUNTRIES

US: 26 AU: 10 CA: 8 UK: 3 JP: 2

REPORT APPEARANCES

February 202679 attacks

COMMUNITY INTELLIGENCE — REDDIT

upvotes

How Cl0p Ransomware Earned $500M+ by Hacking the Supply Chain

We’ve all seen the headlines about the **MOVEit** breach: the single largest cyber heist in history by victim count (2,500+ orgs, 66M+ people). But the story of the gang behind it, **Cl0p**, is even...

r/hackers1 comments2mo ago

upvotes

Canon has confirmed a subsidiary was affected in the Cl0p ransomware group’s Oracle E-Business Suite exploit campaign.

The company says only a web server was impacted and there’s no evidence of leaked Canon data. Cl0p has already named over 100 organizations across industries - including Broadcom, Estée Lauder, Miche...

r/TechNadu1 comments3mo ago

upvotes

Oracle and Google warn of large-scale extortion emails hitting enterprise clients | Hackers linked to the cl0p ransomware group claim responsibility for the campaign

r/technology2 comments5mo ago

upvotes

wsip-70-188-68-120.cox.net had INBOUND firewall traffic from 71.6.165.200 (tracked in cl0p ransomware) to 70.188.68.120

"connection_status": "ACCEPT", "direction": "INBOUND", "incoming_bytes": "60", "outgoing_bytes": "0", "geoip_country_code": "US", "geoip_country_name": "United States...

r/CoxCommunications9 comments5mo ago