Sunday, May 25, 2025
HomeCyber AttackCL0P Ransomware Launches Large-Scale Attacks on Telecom and Healthcare Sectors

CL0P Ransomware Launches Large-Scale Attacks on Telecom and Healthcare Sectors

Published on

SIEM as a Service

Follow Us on Google News

The notorious CL0P ransomware group has intensified its operations in early 2025, targeting critical sectors such as telecommunications and healthcare.

Known for its sophisticated tactics, the group has exploited zero-day vulnerabilities to infiltrate systems, steal sensitive data, and extort victims.

This resurgence follows a relatively quieter 2024, during which CL0P listed only 27 victims compared to its infamous 2023 campaign with 384 breaches.

- Advertisement - Google News

In February alone, over 80 attacks have been attributed to CL0P, underscoring its renewed focus on large-scale campaigns.

The group’s latest activities include exploiting vulnerabilities in widely used software platforms, such as Cleo products, to compromise organizations globally.

The vulnerability, tracked as CVE-2024-50623, allowed remote file uploads and downloads, leading to unauthorized access and data theft.

Despite patches being released for affected systems, cybersecurity experts warn that these fixes may be bypassed.

Cleo Breach Sparks New Wave of Attacks

A significant catalyst for this surge in activity was the Cleo breach in late December 2024.

CL0P leveraged a zero-day vulnerability in Cleo LexiCom, VLTrader, and Harmony products to exfiltrate sensitive data from numerous organizations.

Following this breach, the group listed 66 companies on its data leak site (DLS), demanding ransom payments within 48 hours.

Failure to comply would result in public disclosure of the victims’ identities and stolen data.

The Cleo breach highlights the group’s ability to exploit vulnerabilities in widely used enterprise software, affecting thousands of organizations worldwide.

According to cybersecurity researcher Yutaka Sejiyama, partial company names revealed by CL0P can often be cross-referenced with exposed Cleo servers to identify victims.

According to Cyberint, this tactic amplifies the pressure on organizations to meet ransom demands.

Tactics and Impact

CL0P’s operations follow a well-established pattern of “steal, encrypt, and leak.”

After gaining access through vulnerabilities or phishing campaigns, the group conducts reconnaissance to identify valuable data before deploying ransomware.

The encryption phase involves halting critical services and deleting backup files using Windows tools like vssadmin.exe and taskkill.exe.

Encrypted files are marked with extensions such as .Clop or .Cl0p, accompanied by ransom notes detailing exfiltrated data and negotiation instructions.

The group’s leak site serves as a platform for publicizing non-compliant victims and releasing stolen data incrementally.

In recent months, CL0P has shifted from traditional leak sites to torrent-based distribution methods, complicating efforts by authorities to disrupt their operations.

CL0P Ransomware
CL0P Leak Site (Tor)

The telecom and healthcare sectors are particularly vulnerable due to their reliance on interconnected systems and sensitive data.

Healthcare organizations face heightened risks as ransomware attacks can disrupt patient care and compromise medical records.

Similarly, telecom companies are targeted for their extensive customer databases and critical infrastructure.

CL0P’s resurgence demonstrates the evolving threat landscape posed by ransomware groups exploiting zero-day vulnerabilities.

Organizations must prioritize robust patch management, endpoint monitoring, and disaster recovery planning to mitigate risks.

As CL0P continues its large-scale campaigns, cybersecurity experts emphasize the need for vigilance across all industries.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...