Cl0p MOVEit Campaign - Ransomware Monitor

Total Victims

2023-05-01

First Seen

N/A

Last Seen

Known TTPs

4.9d

Avg Delay

Negotiations

ONION URLS

refslsvgrulwrcziiedimlu5l5hr7ms6rsmffgkwh3gepv3nqbee22c4.onion

pnyxll54tcsscm2rdjhomsmn3t2d3hceutitv2wms7tdqxmtrw6xdgad.onion

TOOLS

MOVEit zero-day

FILE EXTENSIONS

.clop

ACTIVITY TIMELINE

TOP SECTORS

TOP COUNTRIES

ACTIVITY HEATMAP

Date	Victim Name	Country	Sector	Status
No victims recorded

No TTPs data

Cl0p_MOVEit_Campaign_rule_1 Malpedia

rule Cl0p_MOVEit_Campaign_ransomware_1 {
    meta:
        description = "Detects Cl0p MOVEit Campaign ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "cc01be9ca2e372a5d2076b2e0857f5389e2d53eabf0d5c8ac2b5637c8531b0f9"

    strings:
        $r0 = /README\..{3,10}/i
        $s1 = "BITCOIN" nocase
        $r2 = /README\..{3,10}/i
        $r3 = /[A-Za-z0-9]{56}\.onion/
        $h4 = { 33 BB 42 FB 5E F2 7B 66 07 E9 59 31 B9 BB CE E2 51 BC C }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        4 of them
}

Type	Value	Description
email	support402@tutanota.com	Associated with Cl0p MOVEit Campaign ransomware
email	support752@tutanota.com	Associated with Cl0p MOVEit Campaign ransomware
sha1	d2b32d131b81f7ebf5e6b6d7468bcd3e764154b5	Dropper hash observed in Cl0p MOVEit Campaign attacks
sha256	ba285b5400a481588e2414c8d8a8929a4a2914da33cba4c6ec15f309d0c3b8aa	Infrastructure linked to Cl0p MOVEit Campaign
btc	bc1qw4fu3ny0phapoxzh0o21jkljtllnytwbq1mp1m	Infrastructure linked to Cl0p MOVEit Campaign
md5	22b10e31ae57d57b299a6de0544159a3	Infrastructure linked to Cl0p MOVEit Campaign
tox	17965F83652C3290FCFFEEEEDFAC1CE51E5C43DDA1ACEC987FB9BFEFC00480342D408AA9966D	Tox messenger ID - Cl0p MOVEit Campaign campaign
sha1	e4236aa763c202e7574e2b4152bf3b8b502a5d33	Dropper hash - Cl0p MOVEit Campaign campaign
sha1	4be2dfc3a00008dd53152190f05f616fc3b8c8db	Infrastructure linked to Cl0p MOVEit Campaign

No ransom notes

Cl0p MOVEit Campaign Inactive