View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
May 30, 2022updated 06 Jul 2022 11:33am

Ramping up or shutting down? Cl0p ransomware gang’s puzzling resurgence

The gang has posted a host of victims on its blog. But is it the start of a new campaign, or the tying up of loose ends?

By Claudia Glover

Ransomware gang Cl0p apparently had a busy April, with 21 new victims flagged on its blog. Cybersecurity experts are split on whether this marks the start of a new campaign for the group, or whether it is conducting a “fire sale” of stolen data before it rebrands or disbands altogether.

Cl0p ransomware
Interpol arrested six members of Cl0p last year, but the gang seems to have returned (Photo by FRED DUFOUR/AFP via Getty Images)

Prior to last month Cl0p had been largely dormant, with just one victim listed on the blog. The new activity was spotted by researchers at security company NCC, which notes most of the new victims are industrial businesses. “Organisations within Cl0p’s most targeted sectors – notably industrials and technology, should consider the threat this ransomware presents and be prepared for it,” an NCC report says.

Why has Cl0p had a resurgance?

Cl0p has been active since 2019, and by last year had racked up 57 victims, extorting some $500m. Those targeted included the UK Police National Computer database. But Cl0p’s activity has slowed since the arrests of six of its members in November in Ukraine. The sting was the result of a two-year operation spearheaded by Interpol and seven other national law enforcement agencies.

The NCC report states that the gang has gone from one of the least active threat groups it was tracking in March, to fourth most active in April. Ransomware identification tool ID Ransomware suggests that Cl0p was barely active between November and February.

The gang “could have been working on initial intrusion and setting up their victims for weeks in the background, just to reap the fruits of that preparation in one month,” says Max Heinemeyer, VP of cyber innovation at security company Darktrace. “Or they might have pivoted to a particularly successful initial exploitation technique lately, such as a family of vulnerabilities they hadn’t used before which is proving very effective at breaching their victims. They might have attracted further criminals to their operation, thereby helping them scale up.”

Ransomware gang “winding up” its operation?

Alternatively, the “‘data dump’ of 21 victims could be a sign of Clop winding up their existing operations,” argues Brian Higgins, security specialist at Comparitech. “The fact that they were the subject of some real-life law enforcement activity and actual arrests last year, albeit of their exchange network and not any major players, may have scared them off.”

The loss of anonymity resulting from the arrests will have hit Cl0p hard, Higgins says. “The whole point of their criminal model is anonymity and they will no doubt be wondering what other intelligence Interpol was able to gather in the course of its investigation,” he adds. “This could well be a fire sale of their remaining stolen assets, trying to extort as much cash as they can before they disband and pop up again under another name or join different gangs to continue their criminal activities.”

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

Regardless of motivations, the leaked data shows Cl0p has considerable expertise when it comes to breaching defences, particularly in the industrial sector, Higgins says. “These postings represent actionable intelligence for the sectors involved and anyone who thinks they might be on Cl0p’s radar should think about hardening their defences sooner rather than later,” he adds.

Read more: Ransomware arrests mark progress but the fight isn’t over

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.