Attending InfoSec?

Is Clop Ransomware the New Threat to Watch?

Executive Summary

Clop Ransomware, aka Cl0p, is a ransomware group that emerged in February 2019 and targeted most industries worldwide, including retail, transportation, education, manufacturing, automotive, energy, financial, telecommunications and even healthcare. The clop ransomware group is thought to be a successor of the CryptoMix ransomware group.

The Cyberint Research Team identified an anomaly in Clop Ransomware group’s activity in the past two weeks. It seems that Clop was able to claim an explosive amount of victims worldwide, a total of 98 victims. If we compare it to LockBit3.0, the leader in the ransomware industry, which claimed 51 victims in the past two weeks, it’s almost double.

Recent Stats

Currently, Clop Ransomware is focusing its efforts on several sectors: Business Services, Software, Retail, Manufacturing and Transportation (Figure 1).

Clop ransomware’s Top 10 targeted sectors
Figure 1: Clop’s Top 10 targeted sectors

Regarding their regional activity, it seems that Clop Ransomware’s most targeted region is North America with 53 cases, amounting to 54% of the total cases (Figure 2).

Clop Ransomware's attacks by region
Figure 2: Clop Ransomware’s Attacks by Region

The Effect of Hive Ransomware’s Shutdown?

The significant rise of Clop Ransomware’s activity raises many questions. One of the most interesting ones is whether there is a chance that Hive Ransomware’s former members joined Clop Ransomware’s group and brought with them tools and techniques that improved their products.

Although there is no solid evidence that links former Hive Ransomware’s members to Clop Ransomware, it’s fairly possible that after Hive Ransomware’s shutdown, some of the members looked for a new home. Two months after going off-grid, they found it with Clop Ransomware.


Clop is a well-known veteran ransomware group that has been active for years.

Currently, they are in the middle of a massively successful campaign. They’ve claimed 98 victims in just two weeks.

Although the assumption is that this momentum will fade eventually, if the speculations of Hive Ransomware joining the group are true, this might be just the beginning. We might see Clop Ransomware entering the top three ransomwares to watch and becoming a real competitor to LockBit 3.0.

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start