Clop resurgence drives ransomware attacks in February
Negro Elkha – stock.adobe.com
The exploitation of two new vulnerabilities in a popular file transfer service saw the Clop ransomware gang soar in February, according to NCC
Month by month, the number of ransomware attacks rose 50% from January 2025 to February, and just under 40% of them attributable to the resurging Clop/Cl0p crew, according to NCC Group’s latest monthly Threat pulse report.
During the four weeks from 1 to 28 February, NCC observed 886 ransomware attacks, up from 590 in January and 403 this time last year. It said Clop’s slice of the pie was “unusually” high as a direct result of a mass naming and shaming of victims compromised via a pair of zero-day exploits in the Cleo file transfer software package.
As cyber criminal watchers will know, the Clop gang is renowned for seeking out and exploiting file transfer services, having orchestrated the mass hack of users of Progress Software’s MOVEit service back in 2023 – which had a similar effect at the time.
However, said NCC, Clop has also been known to exaggerate its claims to garner more attention, so although there is no doubt it is a highly aggressive threat actor, the numbers may have been manipulated.
Nevertheless, the gang significantly outpaced its nearest rivals, with RansomHub managing 87 attacks, Akira 77 and Play 43.
“Ransomware victim numbers hit record highs in February, surging 50% compared with January 2025, with Cl0p leading the charge,” said NCC threat intelligence head Matt Hull. “Unlike traditional ransomware operations, Cl0p’s activity wasn’t about encrypting systems – it was about stealing data at scale.
“By exploiting unpatched vulnerabilities in widely used file transfer software, much like we saw with MoveIT and GoAnywhere, they were able to exfiltrate sensitive information and will now start to pressure victims into paying. This shift towards data theft and extortion is becoming the go-to strategy for ransomware groups, allowing them to target more organisations and maximise their leverage over victims,” he added.
Clop’s Cleo attacks were orchestrated through two common vulnerabilities and exposures (CVEs) tracked as CVE-2024-50623 and CVE-2024-55956.
The first of these enables the upload of malicious files to a server than can then be executed to gain remote code execution (RCE). This issue arises through improper handling of file uploads in the Autorun directory that can be exploited by sending a crafted request to retrieve files or to upload malicious ones.
The second enables RCE through Autorun, allowing unauthenticated users to import and execute arbitrary Bash or PowerShell commands on the host using the Autorun directory’s default settings. The flaw also enables an attacker to deploy modular Java backdoors to steal data and move laterally.
Patches are available for both, but according to NCC, many organisations using Cleo remain vulnerable thanks to delayed updates or insufficient mitigations.
Amid political chaos, threat actors focus on the US
Notable in NCC’s data this month was the extent to which ransomware attacks are affecting targets in the US – with North America accounting for 65% of observed incidents compared with 18% in Europe and 7% in Asia.
Last November, the NCC Threat pulse report reported similar statistics and attributed the high attack volumes to the chaotic geopolitical landscape.
This trend seems only to be gathering pace since president Trump returned to the White House in January 2025, simultaneously ramping up pressure on Iran to curtail its nuclear ambitions and causing a significant breakdown in relations between the US and Ukraine, alongside a thaw in attitudes to the Russian regime.
NCC said it saw significant “opportunities” for threat actors in both Iran and Russia to take advantage of rapidly changing American policy – in Iran’s case, it suggested Tehran may well expand its state-backed cyber capabilities and seek closer links to China; while in Europe, the Russian-speaking cyber criminal ecosystem may perhaps ease their targeting of US victims if the thaw continues.
But for now, Russian-speaking ransomware gangs continue to hammer US targets and, in the short-term, NCC said it saw significant concerns over the dramatic government cuts being implemented by the Department of Government Efficiency (DOGE). Billed by Trump in part as an attack on wasteful spending by Washington DC, these efforts, led by tech oligarch Elon Musk, have seen thousands of government workers fired already.
NCC said that both financially and geopolitically motivated threat actors were likely looking to take advantage of the confusion and disruption which has likely led to significant deviation from normal cyber standards and processes in the federal government. Stress and uncertainty also increases the risk from disruptive attacks and leads to insider threats.
Alarmingly, a 19-year-old DOGE employee given high-level access to sensitive government IT systems was also found to be a former member of a cyber criminal network known as The Com.
NCC noted that the US House Committee on Oversight and Government Reform had called for the cessation of DOGE activities and warned of “reckless disregard of critical cyber security practices”.
