Cleo, a managed file transfer solutions provider, suffered a significant loss due to the exploitation of two zero-day vulnerabilities by the Cl0p ransomware group. This attack resulted in 358 victims in Q1 2025, a 284% increase compared to 2024. The attack leveraged supply chain vulnerabilities, highlighting the devastating impact when such vulnerabilities are weaponized. The malware used sophisticated obfuscation techniques and was digitally signed with legitimate certificates to evade detection.
Source: https://cybersecuritynews.com/213-increase-in-ransomware-attacks-targeting-organizations/
TPRM report: https://scoringcyber.rankiteo.com/company/cleo-managed-file-transfer-solutions
"id": "cle352070325",
"linkid": "cleo-managed-file-transfer-solutions",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Technology',
'name': 'Cleo',
'type': 'Software provider'}],
'attack_vector': 'Zero-day vulnerabilities in Cleo managed file transfer '
'software',
'data_breach': {'data_encryption': True, 'data_exfiltration': True},
'date_detected': 'Q1 2025',
'description': 'The first quarter of 2025 has witnessed an unprecedented '
'surge in ransomware attacks, with 2,314 victims listed across '
'74 unique data leak sites, representing a staggering 213% '
'increase compared to the 1,086 victims recorded in the same '
'period last year. This dramatic escalation marks a '
'significant departure from the relatively stable ransomware '
'landscape observed throughout 2024, where threat actors '
'appeared to focus on highly targeted attacks rather than '
'volume-based campaigns. The ransomware ecosystem has '
'undergone substantial transformation, with 74 active '
'ransomware groups operating data leak sites in Q1 2025, up '
'from 56 variants in the corresponding period of 2024. This '
'expansion reflects the growing sophistication and '
'diversification of the ransomware-as-a-service (RaaS) model, '
'where cybercriminals lease their malicious software to '
'affiliates who conduct the actual attacks. The surge has '
'affected organizations across all industry verticals, with '
'industrials, consumer cyclicals, and technology sectors '
'bearing the brunt of these attacks. Perhaps most striking is '
'the dramatic shift in the ransomware hierarchy, with Cl0p '
'emerging as the dominant threat actor after listing 358 '
'victims in Q1 2025, compared to just 93 victims throughout '
'all of 2024. This represents a remarkable 284% increase in '
'activity, primarily driven by the group’s exploitation of two '
'zero-day vulnerabilities in Cleo managed file transfer '
'solutions. Optiv analysts identified that Cl0p’s February '
'2025 campaign alone resulted in 389 victims, demonstrating '
'the devastating impact of supply chain vulnerabilities when '
'weaponized by skilled threat actors. The ransomware landscape '
'has also seen the emergence of new players, including '
'VanHelsing and Babuk2, while established groups like '
'RansomHub and Akira maintained high attack volumes. Notably, '
'the previously dominant LockBit ransomware operation has '
'continued its decline following law enforcement disruption in '
'February 2024, dropping to 22nd position with only 24 victims '
'listed in Q1 2025. Cl0p’s Zero-Day Exploitation Campaign The '
'most significant development in Q1 2025 was Cl0p’s '
'sophisticated exploitation of CVE-2024-50623 and '
'CVE-2024-55956, two zero-day vulnerabilities discovered in '
'Cleo’s managed file transfer software. This campaign '
'exemplifies the evolution of ransomware tactics, where groups '
'leverage supply chain vulnerabilities to achieve maximum '
'impact with minimal effort. The Cl0p ransomware, first '
'identified in February 2019 as an evolution of the 2016 '
'CryptoMix variant, employs sophisticated obfuscation '
'techniques and is digitally signed with legitimate '
'certificates to evade security detection. The malware’s '
'technical architecture includes geographic restrictions that '
'terminate execution when targeting Commonwealth of '
'Independent States countries, a common characteristic among '
'Russian-affiliated ransomware operations. Cl0p primarily '
'targets Active Directory servers to achieve comprehensive '
'network compromise, appending the “.ClOP” extension to '
'encrypted files while maintaining its dark web presence '
'through the “>CLOP^-LEAKS” data leak site. This '
'dual-extortion approach combines traditional file encryption '
'with data theft, maximizing pressure on victims to pay '
'ransoms. The retail sector experienced particular devastation '
'during this campaign, with Cl0p responsible for nearly half '
'of all retail victims in Q1 2025, highlighting how supply '
'chain vulnerabilities can cascade across entire industry '
'verticals when exploited by determined threat actors.',
'initial_access_broker': {'entry_point': 'Zero-day vulnerabilities in Cleo '
'managed file transfer software',
'high_value_targets': 'Active Directory servers'},
'motivation': 'Financial gain',
'post_incident_analysis': {'root_causes': 'Zero-day vulnerabilities in Cleo '
'managed file transfer software'},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'Cl0p'},
'references': [{'source': 'Optiv'}],
'threat_actor': 'Cl0p',
'title': 'Q1 2025 Ransomware Surge',
'type': 'Ransomware',
'vulnerability_exploited': ['CVE-2024-50623', 'CVE-2024-55956']}