Month by month, the number of ransomware attacks rose 50% from January 2025 to February, and just under 40% of them attributable to the resurging Clop/Cl0p crew, according to NCC Group’s latest monthly Threat pulse report.

During the four weeks from 1 to 28 February, NCC observed 886 ransomware attacks, up from 590 in January and 403 this time last year. It said Clop’s slice of the pie was “unusually” high as a direct result of a mass naming and shaming of victims compromised via a pair of zero-day exploits in the Cleo file transfer software package.

As cyber criminal watchers will know, the Clop gang is renowned for seeking out and exploiting file transfer services, having orchestrated the mass hack of users of Progress Software’s MOVEit service back in 2023 – which had a similar effect at the time.

However, said NCC, Clop has also been known to exaggerate its claims to garner more attention, so although there is no doubt it is a highly aggressive threat actor, the numbers may have been manipulated.

Nevertheless, the gang significantly outpaced its nearest rivals, with RansomHub managing 87 attacks, Akira 77 and Play 43.

“Ransomware victim numbers hit record highs in February, surging 50% compared with January 2025, with Cl0p leading the charge,” said NCC threat intelligence head Matt Hull. “Unlike traditional ransomware operations, Cl0p’s activity wasn’t about encrypting systems – it was about stealing data at scale.

“By exploiting unpatched vulnerabilities in widely used file transfer software, much like we saw with MoveIT and GoAnywhere, they were able to exfiltrate sensitive information and will now start to pressure victims into paying. This shift towards data theft and extortion is becoming the go-to strategy for ransomware groups, allowing them to target more organisations and maximise their leverage over victims,” he added.

Clop’s Cleo attacks were orchestrated through two common vulnerabilities and exposures (CVEs) tracked as CVE-2024-50623 and CVE-2024-55956.

The first of these enables the upload of malicious files to a server than can then be executed to gain remote code execution (RCE). This issue arises through improper handling of file uploads in the Autorun directory that can be exploited by sending a crafted request to retrieve files or to upload malicious ones.

The second enables RCE through Autorun, allowing unauthenticated users to import and execute arbitrary Bash or PowerShell commands on the host using the Autorun directory’s default settings. The flaw also enables an attacker to deploy modular Java backdoors to steal data and move laterally.

Patches are available for both, but according to NCC, many organisations using Cleo remain vulnerable thanks to delayed updates or insufficient mitigations.