Flash Report: Cl0p Lists Latest Wave of Victims on Leak Site

Key Findings

• Ransomware and digital extortion (R&DE) collective Cl0p has claimed at least 46 victims on its victim shame site over the past week (an unusually high number in the short time period), portending an increase in operational tempo in the near term that is likely to increase their notoriety and pressure victims to pay the demanded ransoms.
• Since first observed in Q1 2022, Cl0p has had notable quarters of high-tempo activity very likely related to targeted extortion campaigns followed by several periods of relatively low activity.
• Although Cl0p has posted an extensive list of alleged victims on their leak site in the past week, they have not yet provided any details about an ongoing campaign or the type of data allegedly compromised.

Details

R&DE collective Cl0p has claimed at least 46 victims on its victim shame site over the past week; this is an unusually high number in a short time period and portends an increase in operational tempo in the near term that is likely to increase their notoriety and pressure alleged victims to pay the demanded ransoms. It is likely Cl0p has targeted the listed victims in a recent extortion campaign, the nature of which cannot be determined at this time.

• Cl0p has been active since at least Q1 2022, making them one of the oldest ransomware collectives still active today.
• Since first observed, Cl0p has had notable quarters of high-tempo activity very likely related to targeted extortion campaigns followed by periods of relatively low activity.

During Q4 2025, Cl0P was responsible for at least 112 separate attacks, accounting for 5.3 percent of global R&DE incidents and making it the fourth most active collective for the period. Notably, Cl0p’s Q4 2025 attacks represent the first significant activity by the collective since its then record-setting 370 attacks in Q1 2025. (Cl0p was responsible for a total of just nine attacks across both Q2 and Q3 2025.)

Although Cl0p has posted an extensive list of alleged victims on their leak site, they have not yet provided any details about an ongoing campaign or the type of data allegedly compromised. Notably, Cl0p maintains a relatively small online footprint compared to other threat actor collectives, with no known social media presence or Telegram channel. There is a roughly even chance that Cl0p will release further details in the coming weeks related to this recent wave of alleged attacks.

Recommendations

• Develop a comprehensive incident response strategy.
• Deploy a holistic patch management process, and ensure all IT assets are patched with the latest software updates as quickly as possible.
• Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege.
• Implement network segmentation to separate resources by sensitivity and/or function.
• Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently.
• Implement secure password policies, phishing-resistant multi-factor authentication (MFA), and unique credentials.

• Configure email servers to block emails with malicious indicators, and deploy authentication protocols to prevent spoofed emails.
• Proactively monitor for compromised accounts and credentials being brokered in deep and dark web (DDW) forums.
• Leverage cyber threat intelligence to inform the detection of relevant cyber threats and associated tactics, techniques, and procedures (TTPs).

Scope Note

ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 7:00 AM (EST) on January 27, 2026; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

ZeroFox Intelligence Probability Scale 

All ZeroFox intelligence products leverage probabilistic assessment language in analytic judgments. Qualitative statements used in these judgments refer to associated probability ranges, which state the likelihood of occurrence of an event or development. Ranges are used to avoid a false impression of accuracy. This scale is a standard that aligns with how readers should interpret such terms.