cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Clop ransomware gang takes out dubious top spot as most prolific operator of 2023

A new report from Qualys looks back at the past year and details the growing pace of security vulnerabilities and the threat actors that exploit them.

user icon David Hollingworth
Tue, 09 Jan 2024
Clop ransomware gang takes out dubious top spot as most prolific operator of 2023
expand image

It was a hell of a year for the Clop ransomware gang in 2023.

The gang has been around since at least 2019, and its rise has been pretty steady. By 2021, it was already ranking as the third-most active ransomware operator in the world, when it managed to be responsible for nearly 10 per cent of all ransomware attacks.

Fast forward to 2023, and Clop managed to take advantage of a raft of vulnerabilities that allowed it to not only target individual companies, but entire customer ecosystems.


“This group masterminded a high-profile cyber attack by exploiting zero-day vulnerabilities, and they notably exploited zero-day vulnerabilities in key platforms like GoAnywhere MFT, PaperCut, MOVEit, and SysAid,” Qualys researchers said in the company’s 2023 Threat Landscape Year in Review.

Clop has shown itself to be a master of zero-day exploits, taking advantage of CVE-2023-27350, CVE-2023-34362, CVE-2023-0669, and CVE-2023-35036 in its largest attacks. The MOVEit hack alone – which targeted just one software vendor and its file transfer software – has to date racked up an alarming 2,611 victims, impacting more than 85 million individuals.

The choice of vulnerabilities to exploit displays the gang’s versatility, too.

“These vulnerabilities ranged from SQL injection in MOVEit Transfer, allowing database access, to a pre-authentication command injection in GoAnywhere MFT and bypassing authentication in PaperCut NG,” the Qualys report said.

The bigger picture

Clop’s success is indicative of a wider issue. In 2023, like every year before it since 2016, the number of disclosed vulnerabilities has grown year on year. In 2023, a staggering 26,447 vulnerabilities were disclosed, eclipsing the previous year by more than 1,500 CVEs. Back in 2016, that number was just 6,447.

Of course, not all those issues represent serious threats.

“However, not all vulnerabilities present a high risk; in fact, a small subset (less than 1 per cent) contributes the highest risk,” Qualys said. “These particularly critical vulnerabilities are ones that have a weaponised exploit, are actively exploited by ransomware, threat actors, and malware, or have confirmed evidence of exploitation in the wild.”

Breaking down those 26,000-odd vulnerabilities reveals some interesting data. Only a shade over 7,000 even have proof-of-concept exploits available, and even most of those are poorly coded.

A mere 206 vulnerabilities were actively weaponised in 2023, and only 115 were exploited by named threat actors. A total of 109 were known to the Cybersecurity and Infrastructure Security Agency (CISA) as serious problems, and 97 weren’t even on CISA’s books.

Ransomware operators only took advantage of 20 known exploits, and 15 were used by malware operators. Nonetheless, when you look at the impact of that 1 per cent – just look at Clop – it can clearly be seen that if you give a threat actor an inch, they’ll take a very costly mile.

Time to hack

Another key figure in the report is the time it takes for a threat actor to actively exploit a vulnerability. On average, that figure is 44 days, which doesn’t sound too bad.

However, a number of CVEs were exploited on the same day they were revealed. In fact, of those CVEs that were exploited within zero to 25 days, 25 per cent were immediately taken advantage of. The rest were exploited within 25 days.

“This immediate action represents a shift in the modus operandi of attackers, highlighting their growing efficiency and the ever-decreasing window for response by defenders,” Qualys said.

According to Qualys, these figures serve as a “wake-up call for organisations to adopt a proactive stance toward patch management and threat intelligence”.

You can read the full report here.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.