Thursday, May 8, 2025
HomeCyber AttackCL0P Ransomware Launches Large-Scale Attacks on Telecom and Healthcare Sectors

CL0P Ransomware Launches Large-Scale Attacks on Telecom and Healthcare Sectors

Published on

SIEM as a Service

Follow Us on Google News

The notorious CL0P ransomware group has intensified its operations in early 2025, targeting critical sectors such as telecommunications and healthcare.

Known for its sophisticated tactics, the group has exploited zero-day vulnerabilities to infiltrate systems, steal sensitive data, and extort victims.

This resurgence follows a relatively quieter 2024, during which CL0P listed only 27 victims compared to its infamous 2023 campaign with 384 breaches.

- Advertisement - Google News

In February alone, over 80 attacks have been attributed to CL0P, underscoring its renewed focus on large-scale campaigns.

The group’s latest activities include exploiting vulnerabilities in widely used software platforms, such as Cleo products, to compromise organizations globally.

The vulnerability, tracked as CVE-2024-50623, allowed remote file uploads and downloads, leading to unauthorized access and data theft.

Despite patches being released for affected systems, cybersecurity experts warn that these fixes may be bypassed.

Cleo Breach Sparks New Wave of Attacks

A significant catalyst for this surge in activity was the Cleo breach in late December 2024.

CL0P leveraged a zero-day vulnerability in Cleo LexiCom, VLTrader, and Harmony products to exfiltrate sensitive data from numerous organizations.

Following this breach, the group listed 66 companies on its data leak site (DLS), demanding ransom payments within 48 hours.

Failure to comply would result in public disclosure of the victims’ identities and stolen data.

The Cleo breach highlights the group’s ability to exploit vulnerabilities in widely used enterprise software, affecting thousands of organizations worldwide.

According to cybersecurity researcher Yutaka Sejiyama, partial company names revealed by CL0P can often be cross-referenced with exposed Cleo servers to identify victims.

According to Cyberint, this tactic amplifies the pressure on organizations to meet ransom demands.

Tactics and Impact

CL0P’s operations follow a well-established pattern of “steal, encrypt, and leak.”

After gaining access through vulnerabilities or phishing campaigns, the group conducts reconnaissance to identify valuable data before deploying ransomware.

The encryption phase involves halting critical services and deleting backup files using Windows tools like vssadmin.exe and taskkill.exe.

Encrypted files are marked with extensions such as .Clop or .Cl0p, accompanied by ransom notes detailing exfiltrated data and negotiation instructions.

The group’s leak site serves as a platform for publicizing non-compliant victims and releasing stolen data incrementally.

In recent months, CL0P has shifted from traditional leak sites to torrent-based distribution methods, complicating efforts by authorities to disrupt their operations.

CL0P Ransomware
CL0P Leak Site (Tor)

The telecom and healthcare sectors are particularly vulnerable due to their reliance on interconnected systems and sensitive data.

Healthcare organizations face heightened risks as ransomware attacks can disrupt patient care and compromise medical records.

Similarly, telecom companies are targeted for their extensive customer databases and critical infrastructure.

CL0P’s resurgence demonstrates the evolving threat landscape posed by ransomware groups exploiting zero-day vulnerabilities.

Organizations must prioritize robust patch management, endpoint monitoring, and disaster recovery planning to mitigate risks.

As CL0P continues its large-scale campaigns, cybersecurity experts emphasize the need for vigilance across all industries.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber...

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers...

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber...

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers...

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...