Cl0p resurgence drives ransomware attacks to new highs in 2025

• Ransomware attacks have reached their highest in February 2025, report claims
• The Cl0p group has been highly active in Q1 of 2025
• NordStellar statistics lay bare the rising threat of ransomware

Ransomware attacks have had an 81% increase year on year, new research from NordStellar has claimed.

This increase can be largely attributed to the Cl0p ransomware group, which has seen something of a resurgence as the group claims responsibility for 385 attacks in the first few weeks of 2025 alone.

As a result, February 2025 saw the most ransomware attacks in history, with 980 known attacks occurring in just 28 days - an average of 35 attacks per day.

A Cl0p in the ocean

The Cl0p group broke into the ransomware scene in around 2019, offering ransomware-as-a-service (RaaS), where a cybercriminal group will rent out their ransomware to others to commit their own attacks, or sell access to an organization's network and systems for others to encrypt and extort.

The group’s notoriety saw its peak after successfully breaching MOVEit Managed File Transfer, which saw over 600 organizations have their sensitive data stolen, affecting over 40 million people.

So far in 2025, US organizations have made up 844 of the 2,040 victims, which Vakaris Noreika, a cybersecurity expert at NordStellar, attributes to the fact that American companies are often lucrative targets for ransomware groups thanks to their wealth and cyber insurance, as well as their highly interconnected networks - with each user, device, and connection acting as a potential point of entry for an attacker.

“The surge in ransomware attacks is unprecedented, proving the threat is more relentless than ever,” Noreika says.

“The spike is driven by a combination of factors — hackers exploiting zero-day vulnerabilities faster than ever, the rise of ransomware as a service (RaaS) lowering the barrier to entry, and organizations still struggling with unpatched systems and poor credential security."

“Cl0p’s reemergence might be closely connected to the group’s past activities, such as exploitation of zero-day vulnerabilities in Cleo file transfer software, compromising hundreds of organizations worldwide,” says Noreika.

“This incident, like a similar MOVEit Transfer one in 2023, highlights the critical importance of promptly addressing vulnerabilities in managed file transfer solutions to protect against sophisticated cyber threats.”

In order to mitigate the potential threat of a ransomware attack, NordStellar recommends that organizations deploy multi-layered cybersecurity strategies, as well as using regular data backups that can be recovered in the event of an attack.

Multi-factor authentication can also help protect against unauthorized access and lateral movement, with dark web monitoring tools providing an early sign of compromise for user credentials or stolen data.

Organizations can also provide cybersecurity training to employees and deploy endpoint protection systems as a way to detect potential network intrusions.

You might also like

• These are the best antivirus services
• Take a look at our guide to the best firewalls
• This dangerous new ransomware is hitting Windows, ARM, ESXi systems