The Clop ransomware gang is back, hitting 21 victims in a single month


After virtually shutting down all operations for several months between November and February, the Clop ransomware is now back, according to researchers at NCC Group.

“CL0P had an explosive and unexpected return to the top of the ransomware threat landscape, jumping from least active threat actor in March to fourth most active in April,” said the NCC Group.

This spike in activity was noticed after the ransomware group added 21 new victims to its data leak site in a single month in April.

“April saw notable fluctuations in threat actor targeting. While Lockbit 2.0 (103 victims) and Conti (45 victims) remain the most prolific threat actors, CL0P victims increased massively from 1 to 21,” NCC Group added.

Clop’s most impacted sector was industrial, with 45% of Clop ransomware attacks targeting industrial companies and 27% targeting technology companies.

That’s why Matt Hull, NCC Group’s Strategic Threat Intelligence Global Lead, warned organizations in the ransomware group’s hardest-hit sectors to consider the possibility of being the next target of this gang and prepare accordingly.

Although data from nearly two dozen victims has already been leaked, the ransomware group doesn’t appear to be very active based on the number of submissions to the ID ransomware service.

Clop ransomware activity
Clop ransomware activity (ID ransomware)

Part of a shutdown process?

While some of the recent victims have been confirmed as new attacks, one theory is that the Clop gang may finally be shutting down after such a long period of inactivity.

As part of this process, the ransomware gang would likely release the details of any previously unpublished victims.

This is similar to what the Conti group appears to be doing as part of its own ongoing shutdown.

Whether they are old or new victims is likely to be confirmed when they issue security breach reports or post acknowledgments (some from she to have already done).

Who is Klop?

The Clop ransomware gang’s lull in activity is easily explained by the fact that part of their infrastructure was shut down in June 2021 following an INTERPOL-coordinated international law enforcement operation codenamed Operation Cyclone.

Six people suspected of laundering money and providing withdrawal services to the Clop ransomware gang have been arrested by Ukrainian authorities after 21 house searches in the Kyiv region.

“The overall impact on CLOP is expected to be small,” cybersecurity firm Intel 471 told BleepingComputer.

While the Clop gang has been targeting victims of ransomware attacks worldwide since at least 2019 (victims include Maastricht University, Software AG IT, ExecuPharm and Indiabulls), the Clop gang has also been linked to a massive wave of Accellion data breaches , leading to a significant increase in average ransom payments for the first three months of 2021.

In the Accellion attacks, Clop operators exfiltrated large amounts of data from high-profile companies using only Accellion’s legacy File Transfer Appliance (FTA).

The gang later used this stolen data as leverage to blackmail the compromised companies and force them to pay hefty ransom demands to keep their data from being leaked online.

The list of companies whose Accellion FTA servers were hacked by Clop includes energy giant Shell, cybersecurity firm Qualys, supermarket giant Kroger, and several universities worldwide (the University of ColoradoUniversity of Miami, Stanford Medicine, University of Maryland Baltimore (UMB) and the University of California.)


Comments are closed.