Cl0p attacks Olayan Saudi Holding Company (OSHCO)

Incident Date:

March 23, 2023

World map



Cl0p attacks Olayan Saudi Holding Company (OSHCO)


Olayan Saudi Holding Company (OSHCO)




RIYADH CITY, United Arab Emirates

, United Arab Emirates

First Reported

March 23, 2023

The Cl0p Ransomware Gang's Attack on Olayan Saudi Holding Company

The Cl0p ransomware gang has attacked the Olayan Saudi Holding Company (OSHCO). The Olayan Saudi Holding Company (OSHCO) is a prominent diversified conglomerate based in Saudi Arabia. It was established in 1947 by Suliman S. Olayan, and it has since grown to become one of the largest privately held companies in the country. OSHCO operates across a wide range of industries, including real estate, manufacturing, distribution, services, and investments.

Cl0p posted Olayan Saudi Holding Company (OSHCO) to its data leak site on March 24th but did not provide any further information. Cl0p is a major Ransomware-as-service (RaaS) platform first observed in 2019. Cl0p is a dangerous ransomware family because it has advanced anti-analysis capabilities and anti-virtual machine analysis to prevent investigations in an emulated environment like those commonly used by security tools.

Cl0p's Technical Capabilities and Targets

Cl0p is one of just a handful of threat actors that have developed a Linux version. While Linux has a tiny footprint in desktop computing, it runs ~80% of web servers and a substantial portion of embedded devices used in the healthcare field – and this means that Cl0p is likely actively recruiting new talent to help improve their platform and expand the scope of what and whom they can attack.

Cl0p also exfiltrates data to be leveraged in double extortion schemes and has recently claimed responsibility for attacks against over 130 organizations – some outside the healthcare sector - using a zero-day vulnerability in secure file transfer software GoAnywhere MFT.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.