{
	"id": "72a66c0c-e714-46d3-abca-15392bd59526",
	"created_at": "2026-04-06T00:11:07.223242Z",
	"updated_at": "2026-04-10T03:20:45.46154Z",
	"deleted_at": null,
	"sha1_hash": "4b9e4ed245ac73e581389b8b3f7f9f87026d23d9",
	"title": "CL0P and REvil Escalate Their Ransomware Tactics",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53440,
	"plain_text": "CL0P and REvil Escalate Their Ransomware Tactics\r\nBy Flashpoint Intel Team\r\nPublished: 2021-03-11 · Archived: 2026-04-05 16:48:59 UTC\r\nOver the past several weeks, Flashpoint has observed increased activity from ransomware groups REvil and Clop\r\n(also known as CL0P). Adding new attack capabilities and more aggressive extortion techniques, the groups are\r\nrapidly extending their respective ransomware arsenals in what appears to be an escalation of both ransomware\r\nattacks and tactics.\r\nCL0P Ransomware Hones in on Accellion Breach Victims\r\nMost recently, on March 8, 2021, CL0P began to extort the data of a new victim, Flagstar Bank, to its ransomware\r\nblog. Included in this post were samples of presumed Flagstar Bank customer and employee information—\r\nincluding names, partial SSNs, and physical and email addresses. \r\nCL0P signaled that the email addresses and other personally identifiable information (PII) it posted were for sale\r\nand that they would entertain offers to purchase and obtain the data directly or pay for its deletion from the CL0P\r\nsite.\r\nFollowing CL0P Doxxing, Flagstar Bank Announces Unlinked Data Breach\r\nLater on that day, Flagstar Bank issued a statement on its website detailing the likely connected and exploited\r\nvulnerability the bank uncovered due to its use of third-party vendor Accellion and its file-sharing platform;\r\nFlagstar also disclosed that some of its data had been exposed as part of this incident. The extent of Accellion’s\r\ndata breach continues to unfold with this news, already blamed for other major breaches like Jones Day law firm. \r\nCL0P’s Multi-Pronged Extortion Ransomware to Catch On Fast\r\nAlthough it’s common practice for extortionist ransomware groups to exfiltrate large swaths of data prior to\r\ndeploying its encryption malware, the primary objective has, historically, been to prove to ransomware victims the\r\nextent of the group’s successful compromise. In these historical cases, the data is taken in a “snatch and grab”\r\nmanner, without consideration given to the stolen data’s value or type. Similarly, there’s little to no forethought\r\ngiven to the selection of the sample data that the ransomware group chooses to post to its blog. \r\nInterestingly, in this recent case with Flagstar Bank, there was no apparent or acknowledged IT environment\r\nlockdown, and thus no ransomware attack occurred by definition. However, given the sensitive and valuable\r\nnature of the Flagstar data that CL0P posted to its blog, it’s clear that CL0P was at least moderately successful in\r\nits attack. By repurposing the exfiltrated data to conduct different non-ransomware extortion tactics on the same\r\nvictim, CL0P extended the data’s fungibility and furthered its monetization goals. \r\nFlashpoint expects that other ransomware groups will be quick to adopt CL0P’s multi-pronged extortion\r\nransomware strategy, given the relatively minor uplift it requires to repurpose the already-stolen data. \r\nhttps://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/\r\nPage 1 of 2\n\nREvil Adds DDoS and Phoning to Ransomware Arsenal\r\nOn February 25, 2021, the REvil spokesperson operating under the alias “Unknown” on the top-tier Russian-language cybercrime forums XSS and Exploit announced that the ransomware group was actively looking to add\r\nnew partners to its organization to provide English-language negotiations, distributed denial-of-service (DDoS)\r\nattacks, and access to “tier 1” networks with revenue greater than $1 billion USD.\r\nTwo weeks later, on March 4, 2021, the REvil spokesperson announced another round of new capabilities, this\r\ntime aimed at improving their affiliates’ abilities to pressure victims into paying the ransom. These new\r\ncapabilities included L3 and L7 DDoS attacks in “test mode” and the ability to make anonymized phone calls to\r\nvictims’ business associates and the media. \r\nSpecifically, the REvil spokesperson announced the following on XSS [translated from Russian]:\r\n“We now have the opportunity to check your networks (calls to the media, counter agents of companies)\r\nto exert maximum pressure. In order to do this, you have to indicate the domain of the company in the\r\ndescription of the network, who does it communicate with, and so on. You can also add contacts for\r\nspam and checking (phone numbers) to the chat.”\r\nREvil Keeps Pace with Competitor Collectives\r\nWhile these ransomware extortion tactics are new for REvil, other competitor ransomware collectives have long\r\noffered these capabilities. For instance, the ransomware groups Avaddon and Suncrypt currently use DDoS\r\ntechniques as part of their ransomware TTPs. And the now-defunct Maze ransomware group and several others\r\nare known to use cold calling techniques to ratchet up extortion pressure on their victims. \r\nTry Flashpoint’s Expanded Ransomware Libraries and Response Services\r\nWith Flashpoint Ransomware Readiness and Response, we prepare enterprise customers worldwide to face\r\nransomware attacks and actively support them as live incidents unfold.\r\nSign up for a risk-free 90-day trial and see Flashpoint Intelligence in action—including our recently expanded\r\nransomware threat libraries with more data and new ways to explore and analyze targeted threats. Equipped with\r\nFlashpoint, you’ll leap ahead of ransomware attacks and the cybercriminal groups who execute them.\r\nSource: https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/\r\nhttps://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/"
	],
	"report_names": [
		"cl0p-and-revil-escalate-their-ransomware-tactics"
	],
	"threat_actors": [],
	"ts_created_at": 1775434267,
	"ts_updated_at": 1775791245,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4b9e4ed245ac73e581389b8b3f7f9f87026d23d9.pdf",
		"text": "https://archive.orkl.eu/4b9e4ed245ac73e581389b8b3f7f9f87026d23d9.txt",
		"img": "https://archive.orkl.eu/4b9e4ed245ac73e581389b8b3f7f9f87026d23d9.jpg"
	}
}