The notorious CL0P ransomware group has intensified its operations in early 2025, targeting critical sectors such as telecommunications and healthcare.
Known for its sophisticated tactics, the group has exploited zero-day vulnerabilities to infiltrate systems, steal sensitive data, and extort victims.
This resurgence follows a relatively quieter 2024, during which CL0P listed only 27 victims compared to its infamous 2023 campaign with 384 breaches.
.png
)
In February alone, over 80 attacks have been attributed to CL0P, underscoring its renewed focus on large-scale campaigns.
The group’s latest activities include exploiting vulnerabilities in widely used software platforms, such as Cleo products, to compromise organizations globally.
The vulnerability, tracked as CVE-2024-50623, allowed remote file uploads and downloads, leading to unauthorized access and data theft.
Despite patches being released for affected systems, cybersecurity experts warn that these fixes may be bypassed.
Cleo Breach Sparks New Wave of Attacks
A significant catalyst for this surge in activity was the Cleo breach in late December 2024.
CL0P leveraged a zero-day vulnerability in Cleo LexiCom, VLTrader, and Harmony products to exfiltrate sensitive data from numerous organizations.
Following this breach, the group listed 66 companies on its data leak site (DLS), demanding ransom payments within 48 hours.
Failure to comply would result in public disclosure of the victims’ identities and stolen data.
The Cleo breach highlights the group’s ability to exploit vulnerabilities in widely used enterprise software, affecting thousands of organizations worldwide.
According to cybersecurity researcher Yutaka Sejiyama, partial company names revealed by CL0P can often be cross-referenced with exposed Cleo servers to identify victims.
According to Cyberint, this tactic amplifies the pressure on organizations to meet ransom demands.
Tactics and Impact
CL0P’s operations follow a well-established pattern of “steal, encrypt, and leak.”
After gaining access through vulnerabilities or phishing campaigns, the group conducts reconnaissance to identify valuable data before deploying ransomware.
The encryption phase involves halting critical services and deleting backup files using Windows tools like vssadmin.exe and taskkill.exe.
Encrypted files are marked with extensions such as .Clop or .Cl0p, accompanied by ransom notes detailing exfiltrated data and negotiation instructions.
The group’s leak site serves as a platform for publicizing non-compliant victims and releasing stolen data incrementally.
In recent months, CL0P has shifted from traditional leak sites to torrent-based distribution methods, complicating efforts by authorities to disrupt their operations.
.webp)
The telecom and healthcare sectors are particularly vulnerable due to their reliance on interconnected systems and sensitive data.
Healthcare organizations face heightened risks as ransomware attacks can disrupt patient care and compromise medical records.
Similarly, telecom companies are targeted for their extensive customer databases and critical infrastructure.
CL0P’s resurgence demonstrates the evolving threat landscape posed by ransomware groups exploiting zero-day vulnerabilities.
Organizations must prioritize robust patch management, endpoint monitoring, and disaster recovery planning to mitigate risks.
As CL0P continues its large-scale campaigns, cybersecurity experts emphasize the need for vigilance across all industries.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here
