Ransomware gang Cl0p apparently had a busy April, with 21 new victims flagged on its blog. Cybersecurity experts are split on whether this marks the start of a new campaign for the group, or whether it is conducting a “fire sale” of stolen data before it rebrands or disbands altogether.

Cl0p ransomware
Interpol arrested six members of Cl0p last year, but the gang seems to have returned (Photo by FRED DUFOUR/AFP via Getty Images)

Prior to last month Cl0p had been largely dormant, with just one victim listed on the blog. The new activity was spotted by researchers at security company NCC, which notes most of the new victims are industrial businesses. “Organisations within Cl0p’s most targeted sectors – notably industrials and technology, should consider the threat this ransomware presents and be prepared for it,” an NCC report says.

Why has Cl0p had a resurgance?

Cl0p has been active since 2019, and by last year had racked up 57 victims, extorting some $500m. Those targeted included the UK Police National Computer database. But Cl0p’s activity has slowed since the arrests of six of its members in November in Ukraine. The sting was the result of a two-year operation spearheaded by Interpol and seven other national law enforcement agencies.

The NCC report states that the gang has gone from one of the least active threat groups it was tracking in March, to fourth most active in April. Ransomware identification tool ID Ransomware suggests that Cl0p was barely active between November and February.

The gang “could have been working on initial intrusion and setting up their victims for weeks in the background, just to reap the fruits of that preparation in one month,” says Max Heinemeyer, VP of cyber innovation at security company Darktrace. “Or they might have pivoted to a particularly successful initial exploitation technique lately, such as a family of vulnerabilities they hadn’t used before which is proving very effective at breaching their victims. They might have attracted further criminals to their operation, thereby helping them scale up.”

Ransomware gang “winding up” its operation?

Alternatively, the “‘data dump’ of 21 victims could be a sign of Clop winding up their existing operations,” argues Brian Higgins, security specialist at Comparitech. “The fact that they were the subject of some real-life law enforcement activity and actual arrests last year, albeit of their exchange network and not any major players, may have scared them off.”

The loss of anonymity resulting from the arrests will have hit Cl0p hard, Higgins says. “The whole point of their criminal model is anonymity and they will no doubt be wondering what other intelligence Interpol was able to gather in the course of its investigation,” he adds. “This could well be a fire sale of their remaining stolen assets, trying to extort as much cash as they can before they disband and pop up again under another name or join different gangs to continue their criminal activities.”

Regardless of motivations, the leaked data shows Cl0p has considerable expertise when it comes to breaching defences, particularly in the industrial sector, Higgins says. “These postings represent actionable intelligence for the sectors involved and anyone who thinks they might be on Cl0p’s radar should think about hardening their defences sooner rather than later,” he adds.

Read more: Ransomware arrests mark progress but the fight isn’t over