Ransomware attacks jumped by 50% from January to February 2025, with close to 40% of those traced back to the Clop/Cl0p gang, according to the latest Threat Pulse report from NCC Group.
In just four weeks, NCC recorded 886 ransomware incidents—an increase from 590 in January and 403 a year earlier. Clop’s involvement spiked due to their strategy of publicly naming and shaming victims who were hacked through two serious zero-day exploits in the Cleo file transfer software. This group is notorious for targeting file transfer services, similar to how they carried out a massive hack on Progress Software’s MOVEit service in 2023.
Yet, it’s worth noting that Clop has a history of exaggerating its success, possibly inflating the numbers to grab more attention. Even so, they have clearly outpaced their competitors—RansomHub had 87 attacks, Akira had 77, and Play managed 43.
“Ransomware victim numbers hit record highs in February, surging 50% compared to January 2025, with Cl0p leading the charge,” said Matt Hull, head of threat intelligence at NCC. “Cl0p’s approach isn’t just about encryption anymore—it’s about stealing data on a massive scale. They exploit unpatched holes in widely-used file transfer software, similar to what we saw with MOVEit and GoAnywhere, to extract sensitive information and pressure victims to pay up.”
Clop’s attacks stemmed from two specific vulnerabilities: CVE-2024-50623 and CVE-2024-55956. The first allows the upload of harmful files that can trigger remote code execution by manipulating file uploads in the Autorun directory. The second lets unauthorized users run arbitrary Bash or PowerShell commands on the host, thanks to default Autorun settings. Attackers can even plant Java backdoors for data theft. Although patches exist, many organizations using Cleo remain exposed due to slow updates.
In the midst of political turmoil, NCC’s data highlights a big focus on U.S. targets, with North America facing 65% of the attacks, while Europe and Asia lagged far behind at 18% and 7%, respectively. Last November, similar findings pointed to the chaotic geopolitical backdrop as a significant factor.
The situation intensified after Donald Trump returned to the White House in January 2025. His administration increased pressure on Iran regarding its nuclear program and complicated relations with Ukraine while softening stances towards Russia. NCC points to growing opportunities for threat actors in both Iran and Russia amid these shifts. Iran might boost its cyber capabilities and tighten ties with China, while Russian cybercriminals might shift their focus based on improved diplomatic connections.
For now, Russian-speaking ransomware groups are still targeting U.S. entities heavily, and the recent cuts made by the Department of Government Efficiency (DOGE) add to the concern. Championed by Trump as a blow against wasteful spending, these cuts, spearheaded by Elon Musk, have led to thousands of layoffs in government positions.
NCC warns that both financially and politically motivated hackers may see this chaos as an opportunity. With the government’s shift in priorities and the stress it brings, there’s a heightened risk of disruptive attacks, not to mention insider threats from employees feeling the pressure. Alarmingly, a 19-year-old DOGE worker with high access was discovered to be a former member of a cybercriminal group named The Com.
The U.S. House Committee on Oversight and Government Reform has called for an end to DOGE’s activities, citing a “reckless disregard for critical cybersecurity practices.”