CL0P Ransomware resurfaces, targeting telecom and healthcare sectors

The notorious CL0P ransomware group launched a new wave of attacks in early 2025, exploiting zero-day vulnerabilities to target telecommunications and healthcare organizations. With over 80 attacks in February alone, the group is intensifying its operations after a quieter 2024.

What happened

The notorious cybercriminal group CL0P has intensified its ransomware campaigns, with over 80 attacks reported in February alone. The group is leveraging newly discovered vulnerabilities—most notably CVE-2024-50623—to gain unauthorized access to enterprise systems.

A significant portion of these attacks stems from a breach in Cleo software products (LexiCom, VLTrader, and Harmony), allowing attackers to steal sensitive data before demanding ransom payments. Following this breach, CL0P listed 66 organizations on its data leak site (DLS), warning victims to comply within 48 hours or risk public exposure of stolen data.

Despite patches being released for affected systems, security experts caution that some fixes may be bypassed, leaving organizations vulnerable.

What was said

Cybersecurity researcher Yutaka Sejiyama warned that "partial company names revealed by CL0P can often be cross-referenced with exposed Cleo servers to identify victims." Cyberint also noted that this strategy "amplifies the pressure on organizations to meet ransom demands."

Going deeper

CL0P’s attack methods follow a well-established pattern of “steal, encrypt, and leak.” The group gains access through vulnerabilities or phishing campaigns, conducts reconnaissance to identify valuable data, and then deploys ransomware. Victims receive ransom notes demanding payment in exchange for stolen data. In a shift from traditional leak sites, CL0P has started using torrent-based distribution to release stolen data, making it harder for authorities to intervene.

By the numbers

• 80+ attacks in February 2025 alone
• 66 companies listed on CL0P’s data leak site after the Cleo breach
• 384 breaches attributed to CL0P in 2023, compared to 27 in 2024

In the know

Telecom and healthcare providers are particularly vulnerable due to their reliance on interconnected systems and sensitive data. Healthcare breaches can disrupt patient care, while telecom attacks compromise extensive customer databases and critical infrastructure.

Why it matters

CL0P's resurgence is a reminder of how rapidly cybercriminals can evolve their strategies and the specific vulnerabilities they exploit. By targeting telecom and healthcare sectors, CL0P is not just stealing data—it's threatening industries that are vital to national security and public health. For healthcare organizations, a breach can delay life-saving treatments or put patients' personal health at risk, while telecom attacks can cripple communication infrastructures, affecting millions of users. The combination of zero-day exploits and targeted vulnerabilities like those in Cleo software shows the sophistication of modern cyberattacks, and the pressure on organizations to act quickly becomes even more critical as CL0P increases its use of torrent-based data leaks. With their shift to bypassing patches, organizations can no longer rely solely on quick fixes—they must overhaul their cybersecurity approaches to stay ahead of such adaptive threats.

FAQs

What is a zero-day exploit?

A zero-day exploit refers to a vulnerability in software or hardware that is unknown to the vendor or manufacturer. 

What is a torrent-based data leak?

A torrent-based data leak refers to the method CL0P uses to release stolen data via peer-to-peer file-sharing technology, making it harder for authorities to block or remove the leaked data.

What can organizations do to protect themselves from CL0P attacks?

Organizations should prioritize patch management, endpoint monitoring, and disaster recovery planning. They must also stay vigilant for phishing campaigns, regularly update their systems with security patches, and review third-party software for vulnerabilities.