CI0p targets The Peddie School

Incident Date:

February 26, 2024

World map



CI0p targets The Peddie School


The Peddie School




Hightstown, USA

New Jersey, USA

First Reported

February 26, 2024

The Peddie School Compromised by Cl0p Ransomware Group

The Peddie School has reportedly been compromised by the Cl0p ransomware group and has been added to the malefactor’s data leak site. The group exfiltrated and leaked 1.2 TB of data. The Peddie School is a college preparatory school in Hightstown, in Mercer County, in the US state of New Jersey. It is a non-denominational, coeducational boarding school located on a 280-acre campus and serves students in the ninth through twelfth grades, plus a small post-graduate class.

Recent Activities of Cl0p Ransomware Group

Attacks by Cl0p operators and affiliates fell dramatically in August of 2023, then the group appeared to have gone dark altogether in September with few attacks attributed to them throughout the rest of Q4-2023. CI0p is a RaaS (Ransomware-as-a-Service) platform first observed in 2019. CI0p has advanced anti-analysis capabilities and anti-virtual machine analysis to prevent investigations in an emulated environment like those commonly used by security tools.

CI0p is increasingly using automation to exploit known vulnerabilities to infiltrate targets, as well as a SQL injection zero-day vulnerability (CVE-2023-34362) that installs a web shell – a rarity amongst ransomware operators. Attacks by CI0p surged in Q1 of 2023 as the gang leveraged patchable exploits for the GoAnywhere file transfer software to compromise more than 100 victims in a matter of weeks, although it is unknown how well they were able to monetize the attacks.

Ransom Demands and Targets

Ransom demands vary depending on the target and average around $3 million dollars but have been reported as to be as high as $20 million. Ransom amounts are likely to continue to grow as CI0p focuses more on the exfiltration of sensitive data. CI0p is one of just a handful of RaaS providers that have developed a Linux version, an indication that CI0p is likely actively recruiting new talent to help improve their platform and expand the scope of what and whom they can attack.

CI0p’s Windows version was written in C++ and encrypts files with RC4 and the encryption keys with RSA 1024-bit. CI0p had previously almost exclusively hit targets in the healthcare sector but has significantly expanded targeting to include most any organization with vulnerable GoAnywhere installations. CI0p runs an expansive affiliate program and exfiltrates data to be leveraged in triple extortion schemes and has significantly expanded its primary target range beyond the healthcare sector.

There are indications that CI0p may be shifting to more of a pure data extortion model, but most victims still suffer the ransomware payload at this point.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.