Cl0p resurgence drives ransomware attacks to new highs in 2025

(Image credit: Getty Images)

Ransomware attacks have reached their highest in February 2025, report claims
The Cl0p group has been highly active in Q1 of 2025
NordStellar statistics lay bare the rising threat of ransomware

Ransomware attacks have had an 81% increase year on year, new research from NordStellar has claimed.

This increase can be largely attributed to the Cl0p ransomware group, which has seen something of a resurgence as the group claims responsibility for 385 attacks in the first few weeks of 2025 alone.

As a result, February 2025 saw the most ransomware attacks in history, with 980 known attacks occurring in just 28 days - an average of 35 attacks per day.

A Cl0p in the ocean

The Cl0p group broke into the ransomware scene in around 2019, offering ransomware-as-a-service (RaaS), where a cybercriminal group will rent out their ransomware to others to commit their own attacks, or sell access to an organization's network and systems for others to encrypt and extort.

The group’s notoriety saw its peak after successfully breaching MOVEit Managed File Transfer, which saw over 600 organizations have their sensitive data stolen, affecting over 40 million people.

So far in 2025, US organizations have made up 844 of the 2,040 victims, which Vakaris Noreika, a cybersecurity expert at NordStellar, attributes to the fact that American companies are often lucrative targets for ransomware groups thanks to their wealth and cyber insurance, as well as their highly interconnected networks - with each user, device, and connection acting as a potential point of entry for an attacker.

“The surge in ransomware attacks is unprecedented, proving the threat is more relentless than ever,” Noreika says.

“The spike is driven by a combination of factors — hackers exploiting zero-day vulnerabilities faster than ever, the rise of ransomware as a service (RaaS) lowering the barrier to entry, and organizations still struggling with unpatched systems and poor credential security."

“Cl0p’s reemergence might be closely connected to the group’s past activities, such as exploitation of zero-day vulnerabilities in Cleo file transfer software, compromising hundreds of organizations worldwide,” says Noreika.

“This incident, like a similar MOVEit Transfer one in 2023, highlights the critical importance of promptly addressing vulnerabilities in managed file transfer solutions to protect against sophisticated cyber threats.”

In order to mitigate the potential threat of a ransomware attack, NordStellar recommends that organizations deploy multi-layered cybersecurity strategies, as well as using regular data backups that can be recovered in the event of an attack.

Multi-factor authentication can also help protect against unauthorized access and lateral movement, with dark web monitoring tools providing an early sign of compromise for user credentials or stolen data.

Organizations can also provide cybersecurity training to employees and deploy endpoint protection systems as a way to detect potential network intrusions.

These are the best antivirus services
Take a look at our guide to the best firewalls
This dangerous new ransomware is hitting Windows, ARM, ESXi systems

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.