Prolific ransomware gang Clop has named dozens of corporate victims it claims to have hacked in recent weeks after exploiting a vulnerability in several popular business file transfer products developed by US software company Cleo.
In a post on the dark web leak site, seen by TechCrunch, the Russian-linked Clop gang listed 59 organizations it claims it breached by exploiting the high-risk bug in Cleo’s software tools.
The flaw affects Cleo’s LexiCom, VLTransfer and Harmony products. Cleo first disclosed the vulnerability in a security advisory in October 2024 before security researchers noticed hackers mass exploiting the vulnerability months later in December.
Clop claimed in his post that he notified the organizations he breached, but that the victim organizations did not negotiate with the hackers. Klopp is threatening to release the data he allegedly stole on January 18 unless his ransom demands are paid.
Corporate file transfer tools are a popular target among ransomware hackers — and Clop, in particular — given the sensitive data often stored on those systems. In recent years, the ransomware gang previously exploited vulnerabilities in Progress Software’s MOVEit Transfer product and later took credit for mass exploiting a vulnerability in Fortra’s GoAnywhere managed file transfer software.
Following the latest hacking spree, at least one company has confirmed an intrusion related to Clop’s attacks on Cleo systems.
German manufacturing giant Covestro told TechCrunch that it was contacted by Clop and has since confirmed that the gang had access to certain data stores on its systems.
“We have confirmed that there was unauthorized access to a US logistics server, which is used to exchange shipment information with our transport providers,” Covestro spokesman Przemyslaw Jedrysik said. “In response, we have taken steps to ensure system integrity, improve security monitoring and proactively notify customers.
Jedrysik confirmed that “the majority of the information contained on the server was not of a sensitive nature,” but declined to say what types of data had been accessed.
Other alleged victims TechCrunch spoke to disputed Clop’s claims and say they were not hacked as part of the gang’s latest mass hacking campaign.
Emily Spencer, a spokeswoman for US car rental giant Hertz, said in a statement that the company was “aware” of Clop’s allegations, but said there was “no evidence that Hertz data or Hertz systems have been affected at this time.”
“Out of an abundance of caution, we continue to actively monitor this matter with the support of our third-party cybersecurity partner,” Spencer added.
Christine Panayotou, a spokeswoman for Liinfox, an Australian logistics company that Clop featured on the leak site, also disputed the gang’s claims, saying the company does not use Cleo software and “has not experienced a cyber incident involving its own systems ».
When asked if Liinfox accessed data due to a cyber incident involving a third party, Panagiotou did not respond.
Representatives from Arrow Electronics and Western Alliance Bank also told TechCrunch that they found no evidence that their systems had been compromised.
Clop also described recently hacked software supply chain giant Blue Yonder. The company, which confirmed a ransomware attack in November, has did not update the cyber incidents page from December 12.
Blue Yonder spokeswoman Marina Renneke reiterated an earlier statement to TechCrunch, noting that the company “uses Cleo to support and manage certain file transfers” and that it is investigating any potential access, but added that the company “has no reason to to believe the Cleo vulnerability is linked to the cybersecurity incident we experienced in November.” The company did not provide evidence for the claim.
When asked by TechCrunch, none of the responding companies said whether they had the technical means, such as logs, to detect access or penetration of their data.
TechCrunch has yet to hear back from the other organizations listed on Clop’s leak site. Clop claims to add more victim organizations to the dark web leak site on January 21st.
It’s not yet known how many companies have been targeted, and Cleo — which is listed as a victim of Clop — did not respond to TechCrunch’s questions.
