CL0P Ransomware Attacking Telecommunications & Healthcare Sectors In Large Scale

The CL0P ransomware group has intensified attacks on critical infrastructure sectors, with telecommunications and healthcare organizations worldwide reporting mass data breaches and system encryption.

Leveraging a zero-day vulnerability in Cleo integration software (CVE-2024-50623), the threat actors have compromised over 80 organizations in February 2025 alone, marking a significant escalation from their 2023 campaign of 384 breaches.

The group’s latest tactics involve exploiting file transfer vulnerabilities to exfiltrate sensitive patient records, billing systems, and network configuration data before deploying encryption payloads.

Security analysts confirm that CL0P, a Russian-aligned cybercrime syndicate, has refined its steal-encrypt-leak methodology to maximize disruption.

The group now combines automated exploit scripts with manual lateral movement, targeting unpatched internet-facing systems.

Security experts at Cyberint noted that the recent victim telemetry shows the attackers terminating backup processes via taskkill /IM powerpnt.exe /F and net stop BackupExecAgentBrowser /y commands to prevent recovery, followed by shadow volume deletion through vssadmin delete shadows /all /quiet.

The Cleo Integration Software Exploit: Gateway to Critical Systems

CL0P’s February surge stems from weaponizing CVE-2024-50623, a remote code execution flaw in Cleo’s LexiCom, VLTrader, and Harmony platforms widely used for healthcare data interoperability and telecom billing integrations.

Proof-of-concept exploits demonstrate how attackers upload malicious DLL files through Cleo’s HTTP API, granting full system access.

CL0P’s attack chain: initial foothold via Cleo vulnerabilities → credential harvesting → data exfiltration over 72–96 hours → deployment of file-encrypting binaries containing victim-specific RSA public keys.

Encrypted files now carry the .Cl0p_2025 extension with embedded markers (Clop^_- hexadecimal strings) for rapid identification.

Notably, CL0P has shifted from direct Bitcoin ransom demands to anonymous negotiations via Tor-hosted chat portals.

This operational change coincided with their February 12 update to torrent-based data leaks, circumventing traditional website takedowns.

Over 22 TB of stolen data from healthcare insurers and telecom providers have already surfaced on peer-to-peer networks, including:-

• Patient treatment histories with Social Security numbers (3.1 million records)
• 5G network topology maps from Asian telecom operators
• Medical device firmware from US hospital chains

Critical vulnerabilities exploited in parallel campaigns include CVE-2021-27101 (SQL injection) and CVE-2021-27104 (remote command execution), with recent hashes like SHA256:e90bdaaf5f9ca900133b699f18e406256214816 linked to healthcare-targeting payloads.

The US Cybersecurity and Infrastructure Security Agency (CISA) urges immediate patching of Cleo software to version 5.8.0.21, though researchers warn that workarounds exist for the official fix.

Network defenders should monitor for vssadmin resize shadowstorage commands and TLS traffic to hiperfdhaus.com, a known CL0P command-and-control domain.

As the group threatens to leak prescription histories and emergency call logs, affected sectors face mounting pressure to overhaul legacy systems.

With CL0P’s TTPs mirroring state-sponsored actors, this campaign shows the systemic risks in interconnected critical infrastructure.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here