Cl0p Is Back, Exploiting Supply Chains Again. by Lucie Cardiet

- This report chronicles the resurgence and evolution of the Cl0p ransomware group from 2019–2025, documenting multiple large-scale supply-chain and MFT exploit campaigns (Accellion, SolarWinds Serv-U, GoAnywhere, MOVEit, Cleo, Oracle EBS), widespread data theft and extortion (CISA-estimated ~3,000 U.S. and ~8,000 global MOVEit victims), a shift toward encryption-less data-only extortion, observed TTPs (web shells, encrypted exfiltration, credential misuse), and practical detection and mitigation recommendations for defenders.