The infamous cybercriminal gang known as Clop has made an unwelcome return, hitting 21 different victims in one month.

After effectively deactivating its whole operation for many months, from November last year to February 2022, the ransomware outfit is now in force once again, according to cybersecurity researchers at the NCC Group.

A spokesperson at the NCC Group commented:

“CL0P had an explosive and unexpected return to the forefront of the ransomware threat landscape, jumping from the least active threat actor in March to the fourth most active in April.”

Rise in ransomware attacks by the Clop gang

This recent activity surge was observed after the gang added 21 fresh victims to its dedicated data leak site in just one month. The research team at the NCC Group noted that there were many notable changes in threat actor targeting over the month of April. They commented that while major players like Conti and Lockbit 2.0 still racked up the most victims, the Clop gang showed a dramatic increase, going from a single victim in March to 21 in April.

Statistics showed that the industrial sector was targeted far more by Clop than any other sector, with a total of 45% of the gang’s ransomware hits aimed at industrial organisations and 27% focused on technology companies.

As a result, NCC Group’s global lead for strategic threat intelligence Matt Hull has warned organisations within these sectors to prepare for the possibility that they may be included on the gang’s hitlist.

What is Clop?

The lull in the Clop ransomware group’s activities up until recent months can be explained by a portion of the gang’s infrastructure being closed down in summer last year after a successful global law enforcement operation. Carrying the codename Operation Cyclone, it was coordinated and spearheaded by INTERPOL, whose teams searched 21 homes in Ukraine’s Kyiv region and consequently, six people were arrested by the local authorities under suspicion of delivering cash-out and money laundering services for the ransomware gang.

The Clop ransomware group has been operating on an international scale, targeting organisations worldwide with dedicated ransomware attacks since 2019. Maastricht University, Software AG IT, ExecuPharm and Indiabulls are among its selected victims. The gang was also connected to an extensive array of Accellion data breaches resulting in a significant increase to the average ransom payment requested in the first quarter of 2021.

During the Accellion attacks, the Clop gang exfiltrated data from major enterprises using the legacy server solution used by Accellion.

The group went on to use this vast hoard of stolen data to apply pressure on the exposed enterprises, prompting them to part with high-price ransom payments in return for their data not being leaked online.

A lengthy list of organisations and educational institutions have been subject to Accellion servers hacks by the Clop ransomware gang, including names like Shell, Kroger, Qualys, the University of Colorado, Stanford Medicine, University of Miami, the University of California and University of Maryland Baltimore.