Skip navigation
cyber_crime_alamy.jpg Alamy

CL0P Ransomware Activity Heats Up

Ransomware activity from CL0P increased massively in April over March, from one victim to 21, according to NCC Group. Meanwhile, REvil reemerged and Conti saw a decline.

Ransomware activity from cybercriminal group CL0P increased massively in April over March this year, a new report by cybersecurity consultant NCC Group found. The number of CL0P’s victims increased from just one in March to 21 in April.

The April Threat Pulse research report notes that CL0P exhibited an explosive return to the ransomware threat landscape, pushing them from the least active criminal group in March to the fourth most prominent in April. NCC Group's threat intelligence team says CL0P’s presence has been extremely volatile throughout 2022 thus far – from zero attacks in January, to 10 in February, one in March, and 21 in April.

A similar fluctuation in the rate of the group’s attacks was also seen across 2021, so the April uptick doesn’t necessarily indicate a marked comeback for CL0P. Rather, April was an "active month” for the group, the threat intelligence team noted.

REvil Reemerges

Following a quiet period, April also saw the return of threat actor REvil. Responsible for several high-profile disruptive ransomware campaigns in 2021, including the attacks on the Colonial Pipeline and Kaseya, REvil became the focal point for international law enforcement last year. The group’s online infrastructure was disabled, and multiple arrests were made.

NCC GroupChart shows number of victims by threat actor group in April 2022

Number of victims by threat actor group in April 2022.

In April, NCC Group threat intelligence saw new activity from REvil, albeit on a small scale with a total of five incidents reported. Each victim came from a different sector, revealing a diverse interest in targeting behavior.

NCC Group notes this return supports the notion that any absence from a ransomware group doesn’t signify a total hiatus in criminal activity, certainly where groups come under the law enforcement firing line, taking cover before regaining momentum.

Conti Group Cools Down

Other criminal groups decreased ransomware activity in April.

After a 115% increase between February and March, NCC Group researchers witnessed a 37% decrease in victims of criminal group Conti from March to April. This volatility may be attributed to the group’s inner political issues described in a previous NCC Group research report, causing fluctuations in the criminal staff needed to maintain a large volume of compromises.

Ransomware Remains a Challenge

Overall, according to the report, there were 288 ransomware attacks in April, a small increase over March (at 283 attacks). But comparing the January-to-April timeframe in 2021 to 2022, there’s been a 16% increase in ransomware attacks this year (189 vs. 219).

Unsurprisingly, North America remained the most targeted region, accounting for 46% of attacks. Europe was again the second most-targeted region, at 33% of attacks. However, European businesses experienced a small decline in ransomware targeting, with 105 incidents recorded in March, and 96 in April (a 9% decrease). Notably, ransomware attacks in Asia rose from 20 in March to 34 in April, representing a 70% increase.

NCC Group’s Strategic Threat Intelligence Practice gathers data on ransomware data leaks on the dark web to get regular insights into the most recent ransomware victims. By recording this data and classifying the victims by sector, the team derives additional insights highlighting the sectors that have been targeted, and how current ransomware threats compare to previous months.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.