{
	"id": "58245add-8504-491e-b858-057c436b75d0",
	"created_at": "2026-04-06T00:11:59.174242Z",
	"updated_at": "2026-04-10T13:11:24.565852Z",
	"deleted_at": null,
	"sha1_hash": "e7d9d2330c3e0e5b6a6295e0cdce93cc1d12f7fb",
	"title": "Clop ransomware gang is back, hits 21 victims in a single month",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4001068,
	"plain_text": "Clop ransomware gang is back, hits 21 victims in a single month\r\nBy Sergiu Gatlan\r\nPublished: 2022-05-28 · Archived: 2026-04-05 16:50:52 UTC\r\nAfter effectively shutting down their entire operation for several months, between November and February, the Clop\r\nransomware is now back, according to NCC Group researchers.\r\n\"CL0P had an explosive and unexpected return to the forefront of the ransomware threat landscape, jumping from the least\r\nactive threat actor in March to the fourth most active in April,\" NCC Group said.\r\nThis surge in activity was noticed after the ransomware group added 21 new victims to their data leak site within a single\r\nmonth, in April.\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back-hits-21-victims-in-a-single-month/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back-hits-21-victims-in-a-single-month/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"There were notable fluctuations in threat actor targeting in April. While Lockbit 2.0 (103 victims) and Conti (45 victims)\r\nremain the most prolific threat actors, victims of CL0P increased massively, from 1 to 21,\" NCC Group added.\r\nClop's most targeted sector was the industrial sector, with 45% of Clop ransomware attacks hitting industrial organizations\r\nand 27% targeting tech companies.\r\nBecause of this, NCC Group's strategic threat intelligence global lead Matt Hull warned orgs within the ransomware group's\r\nmost targeted sectors to consider the possibility of being this gang's next target and prepare accordingly.\r\nHowever, despite already leaking data from almost two dozen victims, the ransomware group doesn't seem very active based\r\non the number of submissions on the ID Ransomware service.\r\nClop ransomware activity (ID Ransomware)\r\nPart of a shutdown process?\r\nWhile some of the recent victims are confirmed to be new attacks, one theory is that the Clop gang might finally be shutting\r\ndown their operation after being inactive for so long.\r\nAs part of this process, the ransomware gang would likely publish the data of all previously unpublished victims.\r\nThis is similar to what the Conti group appears to be doing right now as part of their own ongoing shutdown.\r\nWhether these are old or new victims will likely be confirmed if they release breach notifications or publish confirmations\r\n(some of them have already done it).\r\nWho is Clop?\r\nThe Clop ransomware gang's activity lull is easily explained by some of its infrastructure getting shut down in June 2021\r\nfollowing an international law enforcement operation codenamed Operation Cyclone coordinated by the INTERPOL.\r\nSix individuals suspected of laundering money and providing cash-out services for the Clop ransomware gang were arrested\r\nby Ukrainian authorities after 21 home searches in the Kyiv region.\r\n\"The overall impact to CLOP is expected to be minor,\" cybersecurity company Intel 471 told BleepingComputer.\r\nWhile targeting victims worldwide in ransomware attacks since at least 2019 (some of its victims include Maastricht\r\nUniversity, Software AG IT, ExecuPharm, and Indiabulls), the Clop gang was also linked to a massive wave of Accellion\r\ndata breaches leading to a substantial increase in average ransom payments for the first three months of 2021.\r\nIn the Accellion attacks, Clop's operators only exfiltrated large amounts of data from high-profile companies using\r\nAccellion's legacy File Transfer Appliance (FTA).\r\nThe gang later used this stolen data as leverage to extort the compromised companies, forcing them to pay high ransom\r\ndemands not to have their data leaked online.\r\nThe list of companies that had their Accellion FTA servers hacked by Clop includes, among others, energy giant Shell,\r\ncybersecurity firm Qualys, supermarket giant Kroger, and multiple universities worldwide (the University of Colorado,\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back-hits-21-victims-in-a-single-month/\r\nPage 3 of 4\n\nUniversity of Miami, Stanford Medicine, University of Maryland Baltimore (UMB), and the University of California.)\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back-hits-21-victims-in-a-single-month/\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back-hits-21-victims-in-a-single-month/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back-hits-21-victims-in-a-single-month/"
	],
	"report_names": [
		"clop-ransomware-gang-is-back-hits-21-victims-in-a-single-month"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "1db21349-11d6-4e57-805c-fb1e23a8acab",
			"created_at": "2022-10-25T16:07:23.630365Z",
			"updated_at": "2026-04-10T02:00:04.694622Z",
			"deleted_at": null,
			"main_name": "FIN11",
			"aliases": [
				"Chubby Scorpius",
				"DEV-0950",
				"Lace Tempest",
				"Operation Cyclone"
			],
			"source_name": "ETDA:FIN11",
			"tools": [
				"AZORult",
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"BLUESTEAL",
				"Cl0p",
				"EMASTEAL",
				"FLOWERPIPE",
				"FORKBEARD",
				"FRIENDSPEAK",
				"FlawedAmmyy",
				"GazGolder",
				"Get2",
				"GetandGo",
				"JESTBOT",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MINEDOOR",
				"MIXLABEL",
				"Meterpreter",
				"NAILGUN",
				"POPFLASH",
				"PuffStealer",
				"Rultazo",
				"SALTLICK",
				"SCRAPMINT",
				"SHORTBENCH",
				"SLOWROLL",
				"SPOONBEARD",
				"TiniMet",
				"TinyMet",
				"VIDAR",
				"Vidar Stealer"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434319,
	"ts_updated_at": 1775826684,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e7d9d2330c3e0e5b6a6295e0cdce93cc1d12f7fb.pdf",
		"text": "https://archive.orkl.eu/e7d9d2330c3e0e5b6a6295e0cdce93cc1d12f7fb.txt",
		"img": "https://archive.orkl.eu/e7d9d2330c3e0e5b6a6295e0cdce93cc1d12f7fb.jpg"
	}
}