Clop Ransomware Adopts Torrents to Leak Stolen Data and Evade Detection

Ransomware breach, Ransomware response, Data Breach, Cyber Incident Response

The utilization of ransomware is continuously advancing as cybercriminals discover novel methods to exploit vulnerabilities and optimize their financial gains. An exemplification of this is the Clop ransomware gang, which has recently adapted its tactics by resorting to torrents to disclose stolen data from its victims. By employing this approach, Clop aims to surmount the limitations of conventional Tor data leak sites and enhance the potential for wider dissemination of the compromised information.

A New Approach to Data Leakage

Traditionally, the Clop ransomware group has relied on Tor sites to disclose the data stolen in their attacks. However, this method has its limitations, such as slow download speeds, which can restrict the impact of the data leak. To address this issue, the group has started utilizing clear websites, which are more accessible but also easier for law enforcement agencies and companies to dismantle.

In a recent development, Clop has now adopted torrents as a means of distributing stolen data. Torrents employ peer-to-peer transfer among different users, resulting in faster transfer speeds compared to Tor sites. This new approach not only resolves the issue of slow data transfer but also presents a decentralized distribution method that poses greater challenges for law enforcement to dismantle.

Torrents in Action

According to security researcher Dominic Alvieri, Clop has already created torrents for twenty victims, including prominent organizations such as Aon, K & L Gates, Putnam, Delaware Life, Zurich Brazil, and Heidelberg. These torrents provide a means for individuals to download the leaked data using torrent clients and magnet links provided on the newly set up Tor site.

To illustrate the extent of the available torrents, here is a list of some of the victims for whom Clop has created torrents:

K & L Gates
Delaware Life
Zurich Brazil

Source: BleepingComputer

A test conducted by BleepingComputer demonstrated the effectiveness of this new method. Despite being seeded from only one IP address in Russia, the data transfer speeds reached 5.4 Mbps, significantly faster than the previous Tor-based leaks. The decentralized nature of torrents also ensures that even if the original seeder is taken offline, another device can step in to continue seeding the stolen data.

Implications and Future Outlook

The adoption of torrents by the Clop ransomware gang is expected to have several implications for both the victims and the cybercriminals themselves. By leveraging torrents, the group can overcome the limitations of slow data transfer and increase the overall impact of their attacks. This increased potential for broader distribution of stolen data may put additional pressure on victims to pay the ransom demands.

Coveware, a leading ransomware incident response company, estimates that Clop could earn between $75 to $100 million from its extortion payments. Although the number of victims paying the ransom is relatively small, the size of the demands has convinced some companies to comply, leading to significant earnings for the threat actors.

It remains to be seen whether the use of torrents will lead to an increase in ransom payments. However, given the substantial profits already generated by Clop, the success of this new distribution method is likely to encourage the group to continue utilizing torrents in their future attacks. This approach offers several benefits, including easier setup and reduced reliance on complex websites.

As the ransomware landscape continues to evolve, organizations must remain vigilant and adopt robust cybersecurity measures to protect their sensitive data. Regular backups, network segmentation, and employee awareness training are essential components of a comprehensive defense strategy.


The adoption of torrents by the Clop ransomware gang signifies a significant shift in their extortion strategies. By leveraging the advantages of peer-to-peer transfer and decentralization, the group can overcome the limitations of traditional Tor sites and amplify the impact of their attacks. This innovative approach highlights the imperative for organizations to prioritize cybersecurity measures and remain vigilant against evolving ransomware threats.

Through their use of torrents, Clop demonstrates their adaptability and willingness to explore new avenues for maximizing illicit gains. As the threat landscape continues to evolve, organizations must proactively implement robust security measures and stay informed about the latest trends and tactics employed by cybercriminals. By doing so, they can effectively safeguard their valuable data and mitigate the risk of falling victim to ransomware attacks.

Purple Shield Security is not your typical cybersecurity consulting firm. We are the guardians of your digital realm, committed to protecting your business from the constantly evolving landscape of cyber threats. With a dedicated team of passionate security professionals by your side, we go above and beyond mere data and system protection – we provide you with peace of mind. Our comprehensive range of services includes Security Assessments, Penetration Testing, Incident Response, and more. By harnessing cutting-edge solutions and leveraging our expertise, we empower you to fortify your web applications and minimize vulnerability to attacks.

Don’t wait to secure your business. Get in touch with us today and discover how Purple Shield Security can revolutionize your cybersecurity defenses.