The CL0P ransomware group, a notorious cybercriminal organization active since 2019, has launched a new wave of attacks targeting key sectors such as telecommunications and healthcare.
Leveraging a zero-day vulnerability in Cleo software products, the group has compromised sensitive data from numerous organizations worldwide.
This resurgence marks a significant escalation in ransomware activity, with over 80 attacks recorded in February 2025 alone.
Exploitation of Cleo Vulnerability
The recent attacks stem from a critical zero-day vulnerability (CVE-2024-50623) discovered in Cleo LexiCom, VLTrader, and Harmony products.
This flaw enables remote file uploads and downloads, leading to unauthorized code execution.
Despite the release of a patch (version 5.8.0.21), researchers warn that the fix may be bypassed, leaving thousands of organizations at risk.
Huntress Labs has confirmed active exploitation of this vulnerability, demonstrating its potential to facilitate widespread breaches.
CL0P has reportedly exploited this flaw to infiltrate Cleo’s systems, stealing data from numerous companies reliant on the software.
The group has already listed 66 affected organizations on its data leak site (DLS), threatening to expose more victims unless ransom demands are met.
According to Cyberint, these companies represent only a fraction of the total number impacted, as Cleo’s software is used by over 4,000 organizations globally.
Sophisticated Tactics and Escalating Threats
CL0P employs a well-coordinated attack strategy involving data theft, encryption, and extortion.
Once inside a network, the group exfiltrates sensitive information including financial records, intellectual property, and customer data before deploying ransomware to encrypt files.
Victims are then presented with ransom notes containing secure chat links for negotiation and warnings of public data leaks if demands are ignored.
The group’s tactics have evolved significantly over time.
Recent campaigns have utilized vulnerabilities in widely-used platforms like MOVEit Transfer and Accellion FTA to target high-profile entities across industries.
In addition to exploiting software flaws, CL0P uses phishing campaigns and lateral movement techniques to gain access to victim networks.
The latest wave of attacks has disproportionately affected critical sectors such as telecommunications and healthcare, both of which handle vast amounts of sensitive data.
The disruption caused by these breaches extends beyond financial losses; it jeopardizes patient care and communication infrastructure on a global scale.
In response to these escalating threats, cybersecurity experts emphasize the importance of robust patch management practices, endpoint monitoring for suspicious activities, and adherence to the principle of least privilege (POLP).
Organizations are also urged to maintain offline backups and implement network segmentation to limit the spread of ransomware within their systems.
The resurgence of CL0P highlights the persistent threat posed by ransomware groups exploiting zero-day vulnerabilities.
Their ability to breach one organization and leverage it to target others underscores the need for proactive cybersecurity measures across industries.
As CL0P continues its campaign, vigilance and swift action remain critical in mitigating the impact of these attacks on essential sectors worldwide.
