Back to business: Cl0p ransomware gang is back

Updated on: 27 May 2022

Vilius Petkauskas
Deputy Editor

The initial shock of geopolitical changes fizzles as ransomware gangs come back to life in full force.

Russia's war in Ukraine, launched on 24 February, sent shockwaves throughout the cyber underworld. It's hardly a secret that Russia has long been a safe haven for ransomware gangs, with some gang members residing in Ukraine.

However, a fresh report from the NCC Group hints at a 'business-as-usual' trend. For example, the Cl0p ransomware gang, the least active cartel of the prominent ones in March, was among the most active only a month later.

The change in the number of victims was drastic: from a single victim in March to 21 in April. Similarly to other notorious ransomware families, Conti and Lockbit, Cl0p has set its sight on the industrial and technology sectors.

"The increase in Cl0p's activity seems to suggest they have returned to the threat landscape. Organizations within CL0P's most targeted sectors – notably industrials and technology – should consider the threat this ransomware group presents, and be prepared for it," Matt Hull, global lead for strategic threat intelligence at NCC Group, said.

Researchers at DarkOwl also noted that Cl0P came back to life after a relatively quiet March.

The resurgence might indicate that the group had recovered from a major blow to its reputation last year when Ukrainian police uncovered several Cl0p-affiliated hackers and conducted numerous searches.

Recent reports also indicate that another Russia-based ransomware group, REvil, might be back with a different approach to ransomware. However, while REvil was pronounced 'dead' for some time, Cl0p remained active.

'Cl0p' ransomware group is considered a 'big game hunter' attacker due to their volume. The group and its affiliates are credited to have carried out attacks against oil giant Shell, US bank Flagstar, Samsung, Nvidia, and others.

The group is a member of a larger conglomerate named 'TA505', and groups like 'F1N11' use ransomware 'Cl0p' developed malicious software.