Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Clop resurgence drives ransomware attacks in February | Computer Weekly

By Computer Weekly by By Computer Weekly
March 19, 2025
Home Uncategorized
Share on FacebookShare on Twitter


Month by month, the number of ransomware attacks rose 50% from January 2025 to February, and just under 40% of them attributable to the resurging Clop/Cl0p crew, according to NCC Group’s latest monthly Threat pulse report.

During the four weeks from 1 to 28 February, NCC observed 886 ransomware attacks, up from 590 in January and 403 this time last year. It said Clop’s slice of the pie was “unusually” high as a direct result of a mass naming and shaming of victims compromised via a pair of zero-day exploits in the Cleo file transfer software package.

As cyber criminal watchers will know, the Clop gang is renowned for seeking out and exploiting file transfer services, having orchestrated the mass hack of users of Progress Software’s MOVEit service back in 2023 – which had a similar effect at the time.

However, said NCC, Clop has also been known to exaggerate its claims to garner more attention, so although there is no doubt it is a highly aggressive threat actor, the numbers may have been manipulated.

Nevertheless, the gang significantly outpaced its nearest rivals, with RansomHub managing 87 attacks, Akira 77 and Play 43.

“Ransomware victim numbers hit record highs in February, surging 50% compared with January 2025, with Cl0p leading the charge,” said NCC threat intelligence head Matt Hull. “Unlike traditional ransomware operations, Cl0p’s activity wasn’t about encrypting systems – it was about stealing data at scale.

“By exploiting unpatched vulnerabilities in widely used file transfer software, much like we saw with MoveIT and GoAnywhere, they were able to exfiltrate sensitive information and will now start to pressure victims into paying. This shift towards data theft and extortion is becoming the go-to strategy for ransomware groups, allowing them to target more organisations and maximise their leverage over victims,” he added.

Clop’s Cleo attacks were orchestrated through two common vulnerabilities and exposures (CVEs) tracked as CVE-2024-50623 and CVE-2024-55956.

The first of these enables the upload of malicious files to a server than can then be executed to gain remote code execution (RCE). This issue arises through improper handling of file uploads in the Autorun directory that can be exploited by sending a crafted request to retrieve files or to upload malicious ones.

The second enables RCE through Autorun, allowing unauthenticated users to import and execute arbitrary Bash or PowerShell commands on the host using the Autorun directory’s default settings. The flaw also enables an attacker to deploy modular Java backdoors to steal data and move laterally.

Patches are available for both, but according to NCC, many organisations using Cleo remain vulnerable thanks to delayed updates or insufficient mitigations.

Amid political chaos, threat actors focus on the US

Notable in NCC’s data this month was the extent to which ransomware attacks are affecting targets in the US – with North America accounting for 65% of observed incidents compared with 18% in Europe and 7% in Asia.

Last November, the NCC Threat pulse report reported similar statistics and attributed the high attack volumes to the chaotic geopolitical landscape.

This trend seems only to be gathering pace since president Trump returned to the White House in January 2025, simultaneously ramping up pressure on Iran to curtail its nuclear ambitions and causing a significant breakdown in relations between the US and Ukraine, alongside a thaw in attitudes to the Russian regime.

NCC said it saw significant “opportunities” for threat actors in both Iran and Russia to take advantage of rapidly changing American policy – in Iran’s case, it suggested Tehran may well expand its state-backed cyber capabilities and seek closer links to China; while in Europe, the Russian-speaking cyber criminal ecosystem may perhaps ease their targeting of US victims if the thaw continues.

But for now, Russian-speaking ransomware gangs continue to hammer US targets and, in the short-term, NCC said it saw significant concerns over the dramatic government cuts being implemented by the Department of Government Efficiency (DOGE). Billed by Trump in part as an attack on wasteful spending by Washington DC, these efforts, led by tech oligarch Elon Musk, have seen thousands of government workers fired already.

NCC said that both financially and geopolitically motivated threat actors were likely looking to take advantage of the confusion and disruption which has likely led to significant deviation from normal cyber standards and processes in the federal government. Stress and uncertainty also increases the risk from disruptive attacks and leads to insider threats.

Alarmingly, a 19-year-old DOGE employee given high-level access to sensitive government IT systems was also found to be a former member of a cyber criminal network known as The Com.

NCC noted that the US House Committee on Oversight and Government Reform had called for the cessation of DOGE activities and warned of “reckless disregard of critical cyber security practices”.



Source link

By Computer Weekly

By Computer Weekly

Next Post
Watch This Webinar to Learn How to Eliminate Identity-Based Attacks—Before They Happen

Watch This Webinar to Learn How to Eliminate Identity-Based Attacks—Before They Happen

Recommended.

EQT to acquire Crown Castle’s Small Cells Solutions business

EQT to acquire Crown Castle’s Small Cells Solutions business

March 14, 2025
Blumira CEO On New AI SOC Tool: ‘It’s Like Having A Security Expert At Your Side’

Blumira CEO On New AI SOC Tool: ‘It’s Like Having A Security Expert At Your Side’

October 16, 2025

Trending.

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

May 21, 2025
Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

April 23, 2025
MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

April 7, 2025
VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

September 11, 2025
Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

May 8, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio