Clop Ransomware: Cleo Hack Victims Named - SecurityWeek

Clop Ransomware Gang Claims Numerous Corporate Victims

The Clop ransomware group, known for its extensive operations, has publicly identified a significant number of organizations it alleges to have compromised in recent weeks. This claim follows the exploitation of a security flaw present in several widely-used enterprise file transfer products created by Cleo, a U.S.-based software developer.

Details of the Breach

A post on the dark web leak site associated with the Russia-linked Clop gang, reviewed by TechCrunch, details 59 organizations purportedly breached through the exploitation of a critical vulnerability within Cleo’s software suite.

Specifically, the vulnerability impacts Cleo’s LexiCom, VLTransfer, and Harmony products. Cleo initially disclosed this security issue in a security advisory released in October 2024. However, security researchers only began observing widespread exploitation of the flaw by malicious actors several months later, in December.

According to Clop’s statement, notifications were sent to the affected organizations. However, the gang asserts that these organizations declined to engage in ransom negotiations. A threat has been issued to publish the allegedly stolen data on January 18th, contingent upon the payment of ransom demands.

File Transfer Tools as Prime Targets

Enterprise file transfer tools are frequently targeted by ransomware operators – particularly Clop – due to the sensitive nature of the data commonly stored within these systems. The group has a history of exploiting vulnerabilities in similar software.

Previously, Clop successfully exploited a vulnerability in Progress Software’s MOVEit Transfer product. Furthermore, the gang claimed responsibility for the widespread exploitation of a flaw in Fortra’s GoAnywhere managed file transfer software.

Confirmed and Disputed Intrusions

Following this latest hacking campaign, at least one company has acknowledged a security incident linked to Clop’s attacks on Cleo systems.

Covestro, a German manufacturing company, confirmed to TechCrunch that it had been contacted by Clop and subsequently verified unauthorized access to data stores on its systems.

“We confirmed unauthorized access to a U.S.-based logistics server, utilized for exchanging shipment details with our transportation partners,” stated Covestro spokesperson Przemyslaw Jedrysik. “As a result, we have implemented measures to maintain system integrity, improve security monitoring, and proactively inform our customers.”

Jedrysik indicated that “the majority of the information on the server was not considered sensitive,” but refrained from specifying the types of data that were accessed.

Several other organizations listed by Clop have contested the gang’s assertions, claiming they were not compromised during this recent campaign.

Company Responses and Discrepancies

Hertz, a U.S. car rental company, stated through spokesperson Emily Spencer that they are “aware” of Clop’s claims, but currently have “no evidence indicating that Hertz data or systems have been affected.”

“As a precautionary measure, we are actively monitoring the situation with the assistance of our third-party cybersecurity partner,” Spencer added.

Linfox, an Australian logistics firm also named on Clop’s leak site, disputed the claims, stating they do not utilize Cleo software and have “not experienced a cyber incident impacting its own systems,” according to spokesperson Christine Panayotou.

Panayotou did not respond when asked if Linfox experienced data access due to a third-party incident.

Representatives from Arrow Electronics and Western Alliance Bank also reported finding no evidence of compromised systems to TechCrunch.

Blue Yonder and Ongoing Investigations

Blue Yonder, a software supply chain company recently impacted by a breach, was also listed by Clop. The company’s cybersecurity incident page has not been updated since December 12.

Blue Yonder spokesperson Marina Renneke reiterated a previous statement, noting the company “uses Cleo to support and manage certain file transfers” and is investigating potential access. However, she added that the company has “no reason to believe the Cleo vulnerability is connected to the cybersecurity incident experienced in November.” No supporting evidence was provided.

None of the responding companies disclosed whether they possess the technical capabilities, such as logs, to detect data access or exfiltration.

Future Disclosures and Lack of Response

TechCrunch has not yet received responses from all organizations listed on Clop’s leak site. The gang has announced plans to add further victim organizations to its dark web leak site on January 21.

The total number of companies targeted remains unknown. Cleo, which has also been identified as a victim of Clop, has not responded to inquiries from TechCrunch.