After effectively shutting down their entire operation for several months, between November and February, the Clop ransomware is now back, according to NCC Group researchers.
“CL0P had an explosive and unexpected return to the forefront of the ransomware threat landscape, jumping from the least active threat actor in March to the fourth most active in April,” NCC Group said.
This surge in activity was noticed after the ransomware group added 21 new victims to their data leak site within a single month, in April.
“There were notable fluctuations in threat actor targeting in April. While Lockbit 2.0 (103 victims) and Conti (45 victims) remain the most prolific threat actors, victims of CL0P increased massively, from 1 to 21,” NCC Group added.
Clop’s most targeted sector was the industrial sector, with 45% of Clop ransomware attacks hitting industrial organizations and 27% targeting tech companies.
Because of this, NCC Group’s strategic threat intelligence global lead Matt Hull warned orgs within the ransomware group’s most targeted sectors to consider the possibility of being this gang’s next target and prepare accordingly.
However, despite already leaking data from almost two dozen victims, the ransomware group doesn’t seem very active based on the number of submissions on the ID Ransomware service.
Part of a shutdown process?
While some of the recent victims are confirmed to be new attacks, one theory is that the Clop gang might finally be shutting down their operation after being inactive for so long.
As part of this process, the ransomware gang would likely publish the data of all previously unpublished victims.
This is similar to what the Conti group appears to be doing right now as part of their own ongoing shutdown.
Who is Clop?
The Clop ransomware gang’s activity lull is easily explained by some of its infrastructure getting shut down in June 2021 following an international law enforcement operation codenamed Operation Cyclone coordinated by the INTERPOL.