Clop ransomware resumed activities with 21 victims in a month already

The ransomware gang active again after the shutdown for a few months

Clop ransomware took a break and came back with 21 victims in one month

Clop ransomware gang was shut down between November and February, but activities began again in the month of April and victimized at least 21 devices. NCC Group researchers report^[1] that the ransomware returned unexpectedly and jumped from the least active ransomware threat in March to the fourth on the active list in April.^[2]

There were notable fluctuations in threat actor targeting in April. While Lockbit 2.0 (103 victims) and Conti (45 victims) remain the most prolific threat actors, victims of CL0P increased massively, from 1 to 21

The ransomware group added 21 new victims to the particular data leak site in the month of new activities. The most targeted sector of these attackers remains the industrial sector. 45% of Clop file virus attacks are aimed at industrial organizations, and 27% of the attacks are aimed at technology companies. Then goes the consumer cyclical as the target. North America is the most targeted region, then this gang aims at companies in Europe.

Researchers warn particularly targeted sectors

Considering the increase of numbers and particular targets that ransomware remains to aim for, NCC Group and the strategic threat intelligence global mead Matt Hull warn companies in these industries that Clop ransomware is mostly targeting. These organizations need to prepare accordingly because it is possible that gang is going to target them next.

The gang already leaking data taken from the bunch of victims attacked back in April, but particular samples and submissions on the ID ransomware services do not back up these numbers. It is not looking like ransomware is very active right now.

These recent attacks have been confirmed to be new, and the data exposed related to real victims, but there are speculations that the Clop ransomware gang still might be shutting down their activities. The best confirmation of the time would be proper breach notifications and public reports from victims.^[3] Criminals might publish data from all their victims and previously not leaked databases.

Clop ransomware impacting many companies

Last year, Interpol led the Operation Cyclone effort to arrest the six members of the Clop ransomware gang.^[4] The operation lasted 30 months and was coordinated from the Cyber Fusion Centre in Singapore. Researchers used threat intel provided by other agencies like Trend Micro and Palo Alto Networks. Criminals got arrested back in June 2021. No news on the conviction at this time.

These six criminals were suspected of money laundering and proving cash-out services for the criminals related to the Clop ransomware. The particular ransomware operations started in 2019 with major victims like Maastricht University, ExecuPharm, and Indiabulls.^[5] The most major incidents related to the gang took place at the end of 2020 mostly. This gang was linked to other massive breaches, and the virus attacks led to an increase in the average ransom payments for the first three months of the year 2021.

This is one of the ransomware gangs that leverages the stolen data to extort money from the affected companies again. Cybercriminals force victims to pay the high ransom demands to avoid the stolen information on their data leak site. The affected companies already are various energy companies, cybersecurity firms, supermarkets, various universities worldwide, software developers, and other technology organizations.