The Clop ransomware gang, which is known to have been hacked in recent weeks by exploiting a vulnerability in several popular enterprise file transfer products developed by US software company Cleo, has named dozens of corporate victims.
In a post on its dark web leak site seen by TechCrunch, the Russian-linked Clop gang listed 59 organizations it says it breached by exploiting dangerous flaws in Cleo's software tools.
The bug is Cleo's LexiCom; Affects VLTransfer and Harmony products. Cleo first disclosed the vulnerability in an October 2024 security advisory. Security researchers discovered the vulnerability in December, with hackers mass exploiting it months later..
Clop claimed in his post that he notified the breached organizations, but the victim organizations did not negotiate with the hackers. Clop is threatening to release the data he allegedly stole on January 18 if his ransom demands are not met.
Enterprise file transfer tools are a popular target among ransomware hackers β and Clop in particular β given the sensitive data often stored on these systems. In recent years, ransomware gangs have exploited vulnerabilities in the past. Progress Software's MOVEit Transfer productHe later took credit. Mass exploitation of a vulnerability in Fortra's GoAnywhere Managed file transfer software.
In the wake of his recent hacking attack, at least one company has confirmed an intrusion linked to Clop's attacks on Cleo systems.
German manufacturing giant Covestro told TechCrunch it had been contacted by Clop and confirmed the gang had accessed certain data stores on its systems.
“We have confirmed unauthorized access to a US logistics server used to exchange shipping information with our transportation service providers,” Covestro spokesman Przemyslaw Jedrysik said in a statement. βIn response, We want to ensure that the system is strong. Security monitoring has been increased and users have been notified in advance.
Jedrysik confirmed that “most of the information contained on the server was not sensitive,” but declined to say what types of data were accessed.
Other alleged victims who spoke to TechCrunch disputed Clop's claims, saying they were not compromised as part of the gang's latest mass hacking campaign.
Emily Spencer, a spokeswoman for US car rental giant Hertz, said the company was “aware” of Clop's claims, but said there was no evidence at this time that Hertz data or Hertz systems were affected.
“Out of an abundance of caution, we are continuing to monitor this matter with the support of our third-party cybersecurity partner,” Spencer added.
Christine Panayotou, a spokeswoman for Linfox, an Australian logistics company listed on Clop's leak site, said the company does not use Cleo software and has never experienced a cyber incident involving its own systems.
Panayotou did not respond when asked if Linfox had access to the data because of a cyber incident involving a third party.
Spokespeople for Arrow Electronics and Western Alliance Bank told TechCrunch that they found no evidence that their systems had been compromised.
Clop was also mentioned. Recently, software supply chain company Blue Yonder was breached.. The company confirmed the November ransomware attack. It does not update its cybersecurity incident page. Since December 12th
When last reached by TechCrunch, Blue Yonder spokeswoman Marina Renneke confirmed on Dec. 26 that the company “uses Cleo to support and manage file transfers,” and that it was investigating any potential access. But the company said there was “no reason to believe. The Cleo vulnerability is connected to the cyber security incident we experienced in November.” The company did not provide evidence for the claim and had no further immediate comment when reached this week.
When asked by TechCrunch, Responding companies would not say whether they have technical means, such as logs, to access their data or trace the extraction.
TechCrunch has yet to receive a response from the other organizations listed on Clop's leak site. Clop claims he will add more hostage organizations to his dark web site on January 21.
It's unclear how many companies were targeted, but Cleo, which is listed as a victim of Clop, did not respond to TechCrunch's questions.