Clop Resurgence Drives Ransomware Attacks in February
The number of ransomware attacks skyrocketed by 50% from January to February 2025, with the notorious Clop/Cl0p crew dominating the scene, according to NCC Group's latest Threat Pulse report. Over the four-week period from February 1-28, NCC observed a staggering 886 ransomware attacks, up from 590 in January and 403 this time last year.
Clop's slice of the pie was unusually high, with its share attributed to a mass naming and shaming of victims compromised via two zero-day exploits in the Cleo file transfer software package. The Clop gang is renowned for targeting file transfer services, having orchestrated the mass hack of users of Progress Software's MOVEit service back in 2023.
However, NCC notes that Clop has also been known to exaggerate its claims to garner more attention, so while there's no doubt it's a highly aggressive threat actor, the numbers may have been manipulated. Nevertheless, the gang significantly outpaced its nearest rivals, with RansomHub managing 87 attacks, Akira 77, and Play 43.
"Ransomware victim numbers hit record highs in February, surging 50% compared to January 2025, with Cl0p leading the charge," said Matt Hull, NCC threat intelligence head. "Unlike traditional ransomware operations, Cl0p's activity wasn't about encrypting systems – it was about stealing data at scale."
Clop's Cleo attacks were orchestrated through two common vulnerabilities and exposures (CVEs) tracked as CVE-2024-50623 and CVE-2024-55956. The first of these enables the upload of malicious files to a server that can then be executed to gain remote code execution (RCE). This issue arises through improper handling of file uploads in the Autorun directory, which can be exploited by sending a crafted request to retrieve files or upload malicious ones.
The second enables RCE through Autorun, allowing unauthenticated users to import and execute arbitrary Bash or PowerShell commands on the host using the Autorun directory's default settings. This flaw also enables an attacker to deploy modular Java backdoors to steal data and move laterally. Patches are available for both, but according to NCC, many organizations using Cleo remain vulnerable thanks to delayed updates or insufficient mitigations.
Amidst the chaos of political unrest, threat actors are focusing on the US, with North America accounting for 65% of observed incidents compared to 18% in Europe and 7% in Asia. Last November, NCC Threat Pulse report reported similar statistics, attributing the high attack volumes to the chaotic geopolitical landscape.
This trend seems only to be gathering pace since president Trump returned to the White House in January 2025, simultaneously ramping up pressure on Iran to curtail its nuclear ambitions and causing a significant breakdown in relations between the US and Ukraine, alongside a thaw in attitudes towards the Russian regime. NCC sees significant opportunities for threat actors in both Iran and Russia to take advantage of rapidly changing American policy.
"We're seeing significant 'opportunities' for threat actors in both Iran and Russia to take advantage of rapidly changing American policy," said Matt Hull. "In Iran's case, it suggests Tehran may well expand its state-backed cyber capabilities and seek closer links to China; while in Europe, the Russian-speaking cyber criminal ecosystem may perhaps ease their targeting of US victims if the thaw continues."
However, for now, Russian-speaking ransomware gangs continue to hammer US targets, with NCC expressing significant concerns over the dramatic government cuts being implemented by the Department of Government Efficiency (DOGE). These efforts, led by tech oligarch Elon Musk, have seen thousands of government workers fired already.
NCC notes that both financially and geopolitically motivated threat actors are likely looking to take advantage of the confusion and disruption caused by these changes. Stress and uncertainty also increase the risk from disruptive attacks and lead to insider threats. Alarmingly, a 19-year-old DOGE employee given high-level access to sensitive government IT systems was found to be a former member of a cyber criminal network known as The Com.
NCC Group urges organizations to take immediate action to protect themselves against these emerging threats and emphasizes the importance of staying vigilant in the face of rapidly evolving ransomware attacks. Stay tuned for more updates on this developing story!