Clop ransomware gang has returned to the ransomware threat landscape a few months after shutting down its operations between November and February.

The activities of the ransomware group became noticeable after it had added 21 new victims to its data leak site in just one month (April).

Clop’s most targeted sector was the industrial sector. 45% of Clop ransomware attacks target industrial organizations, while 27% target technology companies.

“CLop had an explosive and unexpected return to the forefront of the ransomware threat landscape, jumping from the least active threat actor in March to the fourth most active in April. There were notable fluctuations in threat actor targeting in April. While Lockbit 2.0 (103 victims) and Conti (45 victims) remain the most prolific threat actors, victims of CLoP increased massively, from 1 to 21,” NCC Group explained.

Clop ransomware deals in the exfiltration of large amounts of data from high-profile companies using Accellion’s legacy File Transfer Appliance (FTA). The stolen data are later used as leverage to blackmail the compromised companies, whereby they are forced to pay high ransom demands to prevent their data from leaking online.

There is speculation that the recent actions of the Clop gang are part of the process of finally shutting down their operations after a long period of inaction.