Is Clop Ransomware the New Threat to Watch?
  • Table of contents

The author

user_image
Shmuel Gihon
Share on LinkedIn

Research Team Leader at Cyberint

Table of contents

Related Articles

Research

Nevada Ransomware Campaign

Update from February 10th, 2023: In the early days of this campaign, Nevada was the...
Feb 5, 2023
Learn more
Research

Is Clop Ransomware the New Threat to Watch?

Mar 27, 2023

Clop Ransomware, aka Cl0p, is a ransomware group that emerged in February 2019 and targeted most industries worldwide, including retail, transportation, education, manufacturing, automotive, energy, financial, telecommunications and even healthcare. The clop ransomware group is thought to be a successor of the CryptoMix ransomware group.

The Cyberint Research Team identified an anomaly in Clop Ransomware group’s activity in the past two weeks. It seems that Clop was able to claim an explosive amount of victims worldwide, a total of 98 victims. If we compare it to LockBit3.0, the leader in the ransomware industry, which claimed 51 victims in the past two weeks, it’s almost double.

Recent Stats

Currently, Clop Ransomware is focusing its efforts on several sectors: Business Services, Software, Retail, Manufacturing and Transportation (Figure 1).

Clop ransomware’s Top 10 targeted sectors
Figure 1: Clop’s Top 10 targeted sectors

Regarding their regional activity, it seems that Clop Ransomware’s most targeted region is North America with 53 cases, amounting to 54% of the total cases (Figure 2).

Clop Ransomware's attacks by region
Figure 2: Clop Ransomware’s Attacks by Region

The Effect of Hive Ransomware’s Shutdown?

The significant rise of Clop Ransomware’s activity raises many questions. One of the most interesting ones is whether there is a chance that Hive Ransomware’s former members joined Clop Ransomware’s group and brought with them tools and techniques that improved their products.

Although there is no solid evidence that links former Hive Ransomware’s members to Clop Ransomware, it’s fairly possible that after Hive Ransomware’s shutdown, some of the members looked for a new home. Two months after going off-grid, they found it with Clop Ransomware.

Conclusions

Clop is a well-known veteran ransomware group that has been active for years.

Currently, they are in the middle of a massively successful campaign. They’ve claimed 98 victims in just two weeks.

Although the assumption is that this momentum will fade eventually, if the speculations of Hive Ransomware joining the group are true, this might be just the beginning. We might see Clop Ransomware entering the top three ransomwares to watch and becoming a real competitor to LockBit 3.0.

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start