Clop Ransomware Hits Hilton, Law Firms, Healthcare in January 25 Wave

Patrick Duggan
Jan 25
4 min read

Updated: Apr 25

Executive Summary

The Clop (Cl0p) ransomware group disclosed multiple new victims on January 25, 2026, continuing their position as the most prolific ransomware operation globally. Today's disclosures span hospitality, legal services, healthcare, and technology sectors.

Today's Confirmed Victims

Domain	Organization	Sector
HILTON.COM	Hilton Worldwide Holdings	Hospitality
WRENLAWFIRM.COM	Wren Law Firm	Legal Services
LDHRLAW.COM	LDHR Law	Legal Services
GENESYSSPINE.COM	Genesys Spine	Healthcare/Medical Devices
WEATHER.COM	The Weather Company	Technology/Media
WHISKIJACKRESORTS.COM	Whistler Jack Resorts	Hospitality
GROUPAMS.CO.UK	Group AMS	Business Services
RTCCOMPUTERS.COM	RTC Computers	Technology

What is Clop?

Clop is a Russian-linked ransomware operation active since February 2019, operating under the Ransomware-as-a-Service (RaaS) model through the TA505 collective. Key statistics:

$500M+ in extorted payments
11,000+ organizations compromised
#1 most prolific ransomware group (Q1 2025 - present)
~400 victims in Q1 2025 alone

Signature Tradecraft: Zero-Day Supply Chain Attacks

Clop specializes in mass exploitation of file transfer platforms:

Year	Platform	CVE
2021	Accellion FTA	CVE-2021-27101
2023	GoAnywhere MFT	CVE-2023-0669
2023	MOVEit Transfer	CVE-2023-34362
2024-25	Cleo (Harmony, VLTrader, LexiCom)	CVE-2024-50623, CVE-2024-55956
2025-26	Oracle E-Business Suite	Zero-day (active)

Attack Chain

┌──────────���──────────────────────────────────────────────────────┐
│  1. INITIAL ACCESS                                              │
│     └─ Zero-day exploit in MFT/ERP platforms                   │
│        OR spear-phishing with macro-enabled docs (Get2 loader) │
├─────────────────────────────────────────────────────────────────┤
│  2. PERSISTENCE                                                 │
│     └─ Web shell deployment                                     │
│     └─ SDBot, FlawedAmmy, FlawedGrace RATs                     │
├─────────────────────────────────────────────────────────────────┤
│  3. PRIVILEGE ESCALATION                                        │
│     └─ CobaltStrike + Mimikatz for credential theft            │
│     └─ UAC bypass for admin privileges                         │
│     └─ Target: Active Directory servers                        │
├────────────────��────────────────────────────────────────────────┤
│  4. LATERAL MOVEMENT                                            │
│     └─ SMB protocol exploitation                                │
│     └─ PowerShell-based reconnaissance                         │
├─────────────────────────────────────────────────────────────────┤
│  5. EXFILTRATION                                                │
│     └─ Mass data theft BEFORE encryption                       │
├─────────────────────────────────────────────────────────────────┤
│  6. EXTORTION (Quadruple)                                       │
│     └─ Encryption (AES-256 + RSA + RC4)                        │
│     └─ Data leak threats                                        │
│     └─ DDoS attacks                                             │
│     └─ Executive/customer harassment                           │
└──────��───────���──────────────────────────────────────────────────┘

For Architects: Strategic Defenses

1. Eliminate File Transfer Platform Exposure

Priority: CRITICAL

Clop's entire business model depends on internet-exposed MFT platforms.

Action Items:
□ Inventory all MFT solutions (MOVEit, Cleo, GoAnywhere, Accellion)
□ Place behind VPN/ZTNA - NO direct internet exposure
□ If exposure required, implement WAF with virtual patching
□ Monitor CISA KEV for MFT vulnerabilities weekly

2. Network Segmentation

Clop relies on SMB lateral movement. Segment aggressively.

Architecture Pattern:
┌──────────────┐    ┌──────────────┐    ┌──────────────┐
│   DMZ        │    │  User Tier   │    │  Data Tier   │
│  (MFT/Web)   │◄───┤  (Endpoints) │◄───┤  (AD/DB/FS)  │
└──────────────┘    └───��──────────┘    └──────────────┘
       ▲                   ▲                   ▲
       │                   │                   │
   Firewall            Firewall            Firewall
   445 BLOCKED         445 BLOCKED         445 LIMITED

Block SMB (445) between segments
Restrict RDP to jump hosts only
Implement micro-segmentation for crown jewels

3. Immutable Backup Architecture

Clop exfiltrates before encrypting. Your backups are your last line.

3-2-1-1-0 Rule:
├─ 3 copies of data
├─ 2 different media types
├─ 1 offsite
├─ 1 offline/air-gapped/immutable
└─ 0 errors (verified restores)

AWS S3 Object Lock (Governance or Compliance mode)
Azure Immutable Blob Storage
Veeam Hardened Repository
Physical tape (yes, really)

4. Zero Trust for Privileged Access

Clop targets AD servers with Mimikatz. Protect credentials.

Tiered Admin Model:
├─ Tier 0: Domain Controllers, AD, PKI
│   └─ PAWs only, no internet, no email
├─ Tier 1: Member servers, applications
│   └─ Separate admin accounts
└─ Tier 2: Workstations, users
    └─ Standard helpdesk access

For Operators: Tactical Playbook

Immediate Actions (Next 24 Hours)

# 1. Check for Cleo products
find / -name "*cleo*" -o -name "*vltrader*" -o -name "*lexicom*" 2>/dev/null

Patch These Now

CVE	Product	Action
CVE-2024-55956	Cleo Harmony/VLTrader/LexiCom	Patch to 5.8.0.24+
CVE-2024-50623	Cleo (all products)	Patch to 5.8.0.21+
CVE-2023-34362	MOVEit Transfer	Patch to latest
CVE-2023-0669	GoAnywhere MFT	Patch to 7.1.2+

Detection Rules

Sigma Rule - Clop Web Shell Activity: ``yaml title: Clop Web Shell Execution status: experimental logsource: category: webserver detection: selection: cs-uri-query|contains: - 'cmd=' - 'exec=' - 'command=' cs-uri-stem|endswith: - '.aspx' - '.jsp' - '.php' condition: selection ``

Microsoft pulls this feed daily. AT&T pulls this feed daily. Starlink pulls this feed daily. Get the DugganUSA STIX feed — $9/mo →

Splunk Query - SMB Lateral Movement: ``spl index=windows EventCode=5145 | where RelativeTargetName="*.exe" OR RelativeTargetName="*.dll" | stats count by src_ip, dest_ip, RelativeTargetName | where count > 5 ``

YARA Rule - Clop Ransomware

rule Clop_Ransomware {
    meta:
        description = "Detects Clop ransomware"
        author = "DugganUSA"
        date = "2026-01-25"
    strings:
        $s1 = "Clop" ascii wide
        $s2 = ".Clop" ascii wide
        $s3 = "ClopReadMe.txt" ascii wide
        $s4 = "Don't worry, you can return all your files!" ascii wide
        $pdb = "C:\\Users\\Admin\\source\\repos" ascii
    condition:
        uint16(0) == 0x5A4D and (2 of ($s*) or $pdb)
}

IOCs to Block

Known Clop Infrastructure (sample): ``` # Add to blocklists 5.188.86.195 45.227.253.50 92.118.36.213 194.165.16.98

Response Checklist

If you suspect Clop compromise:

[ ] Isolate affected systems (network disconnect, not shutdown)
[ ] Preserve evidence (memory dumps, logs, disk images)
[ ] Notify legal counsel and insurance carrier
[ ] Engage IR firm (don't go it alone)
[ ] Report to FBI IC3 (ic3.gov) and CISA
[ ] Do NOT pay ransom without legal/FBI consultation
[ ] Assume data exfiltration occurred

Resources

TL;DR

Clop hit 8+ organizations today including Hilton and multiple law firms. They exploit file transfer platforms (Cleo, MOVEit, GoAnywhere) via zero-days, then move laterally via SMB to AD servers using CobaltStrike/Mimikatz.

Architects: Kill internet-exposed MFT, segment networks, implement immutable backups, deploy tiered admin model.

Operators: Patch Cleo/MOVEit NOW, hunt for web shells, block SMB between segments, monitor for CobaltStrike beacons.

DugganUSA Threat Intelligence - analytics.dugganusa.com

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →