Cl0p Ransomware Group Embarks on Extensive Cleo Exploit Campaign

The Cl0p ransomware group plans to disclose over 60 organizations targeted in recent cyberattacks exploiting vulnerabilities in Cleo’s file transfer software, including Harmony, VLTrader, and LexiCom.  

These vulnerabilities, identified as CVE-2024-50623 and CVE-2024-55956, allow unauthenticated attackers to steal files and have been exploited since early December, with at least one being a zero-day vulnerability, Security Week reports.

Cl0p, which claimed responsibility for the Cleo attacks in mid-December, announced on its Tor-based website that victims are being contacted with proof of data theft and offered a final chance to pay a ransom before their names are revealed.  

Supply chain software provider Blue Yonder is the only named victim so far, with others facing public exposure by December 30.

However, new developments suggest another ransomware group, Termite, may be responsible for some attacks, including the breach of Blue Yonder, which impacted Starbucks and grocery chains.  

The apparent overlap between Cl0p and Termite raises questions about a possible connection. Cleo, which serves over 4,000 customers, faces increasing scrutiny as attackers continue exploiting its software vulnerabilities.

Takeaway: Cl0p and Termite are two ransomware groups with distinct origins, tactics, and levels of sophistication, yet both represent significant threats in the cybercriminal landscape.

According to the Power Rankings: Ransomware Malicious Quartile report, Cl0p, first observed in 2019, operates as a ransomware-as-a-service (RaaS) platform known for its advanced anti-analysis features and anti-virtual machine detection, making it adept at evading cybersecurity investigations.  

By Q2 2023, Cl0p became the most prolific ransomware group, accounting for 21% of all ransomware incidents in July 2023, largely due to their automation in exploiting high-profile vulnerabilities like MOVEit Transfer (CVE-2023-34362) and GoAnywhere MFT (CVE-2023-0669).

Cl0p is known for its adaptability, switching between data extortion and traditional ransomware encryption tactics. They were among the first groups to develop a Linux ransomware variant, broadening their attack surface, and their Windows ransomware uses RC4 encryption with RSA-1024 to secure keys.  

Notably, Cl0p exploited a SQL injection vulnerability in MOVEit Transfer in May 2023 to steal sensitive data without deploying encryption payloads, emphasizing a focus on data theft and extortion.

In Q4 2024, Cl0p has shown increased activity in exploiting two critical zero-day vulnerabilities in Cleo’s software—CVE-2024-50623 and CVE-2024-55956—to target platforms like Cleo Harmony, VLTrader, and LexiCom. This campaign resulted in significant data breaches affecting 66 organizations, with ransom demands ranging from $3 million to $20 million.  

Cl0p employs triple-extortion tactics, combining encryption, data theft, and additional pressure campaigns. Their victims span critical sectors, including finance, government, healthcare, and infrastructure, with notable names like Shell, Siemens, and the US Department of Homeland Security.

The Termite ransomware group emerged in mid-November 2024 and has rapidly drawn attention for targeting a diverse range of organizations across various sectors and countries. Confirmed victims include the U.S.-based Nifast Corporation, French water treatment company Culligan France, Omani oil firm OQ, Germany’s Lebenshilfe Heinsberg (an NGO), and Canada’s Conseil Scolaire Viamonde.

Unlike Cl0p, Termite's operations are relatively undocumented, with little public information about their tactics, techniques, and procedures. They have not disclosed their methods of gaining access to systems or deploying ransomware, which suggests a less transparent but potentially sophisticated operation.  

Termite operates an English-language data leak site (DLS), listing victims and describing attacks, but has yet to release stolen data. This restraint may indicate a strategic focus on using the threat of exposure as leverage in ransom negotiations rather than immediate public data leaks.

Termite’s DLS includes a “support” page with contact options through Tox, Jabber, and Telegram, aiming to present themselves as a professional operation similar to penetration testing services. Unlike Cl0p, which has established itself through sophisticated tools and high-profile campaigns, Termite's independence from other groups and its strategic restraint in data leaks suggest they are carving out a distinct identity in the ransomware ecosystem.

Cl0p has a longer operational history and a proven track record of technical innovation, including Linux ransomware and automation in exploiting vulnerabilities, while Termite is relatively new, with less documented evidence of technical capabilities.

Cl0p is known to employ triple-extortion techniques with significant automation and advanced encryption methods, where Termite appears to rely more on the threat of data exposure as leverage and has not released stolen data publicly.

Cl0p also has a broader reach and targets industries globally, with a focus on critical infrastructure and high-profile organizations, as opposed to Termite’s victim profile, which is more diverse but less expansive, as they tend to target smaller entities and NGOs.

Cl0p's operations are well-documented, and they have been linked to numerous high-profile breaches, but Termite so far is less transparent, with no confirmed links to other cybercriminal groups, suggesting an independent, nascent operation.

Both groups illustrate the evolving threat landscape, with Cl0p exemplifying advanced, established ransomware operations and Termite representing an emerging, potentially disruptive force.

‍

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.