The prolific Clop ransomware gang has named dozens of corporate victims it claims to have hacked in recent weeks after exploiting a vulnerability in several enterprise popular file transfer products developed by U.S. software company Cleo.
In a post on its dark web leak site, seen by TechCrunch, the Russia-linked Clop gang listed 59 organizations it claims to have breached by exploiting the high-risk bug in Cleo’s software tools.
The flaw affects Cleo’s LexiCom, VLTransfer, and Harmony products. Cleo first disclosed the vulnerability in an October 2024 security advisory before security researchers observed hackers mass exploiting the vulnerability months later in December.
Clop claimed in its post that it notified the organizations it breached, but that the victim organizations did not negotiate with the hackers. Clop is threatening to publish the data it allegedly stole on January 18 unless its ransom demands are paid.
Enterprise file transfer tools are a popular target among ransomware hackers — and Clop, in particular — given the sensitive data often stored in these systems. In recent years, the ransomware gang previously exploited vulnerabilities in Progress Software’s MOVEit Transfer product, and later took credit for the mass exploitation of a vulnerability in Fortra’s GoAnywhere managed file transfer software.
Following its most recent hacking spree, at least one company has confirmed an intrusion linked to Clop’s attacks on Cleo systems.
German manufacturing giant Covestro told TechCrunch that it had been contacted by Clop, and has since confirmed that the gang accessed certain data stores on its systems.
“We confirmed there was unauthorized access to a U.S. logistics server, which is used to exchange shipping information with our transportation providers,” Covestro spokesperson Przemyslaw Jedrysik said in a statement. “In response, we have taken measures to ensure system integrity, enhance security monitoring and proactively notify customers.
Jedrysik confirmed that “the majority of the information contained on the server was not of a sensitive nature,” but declined to say what types of data had been accessed.
Other alleged victims that TechCrunch has spoken with have disputed Clop’s claims, and say they were not compromised as part of the gang’s latest mass-hack campaign.
Emily Spencer, a spokesperson for U.S. car rental giant Hertz, said in a statement that the company is “aware” of Clop’s claims, but said there is “no evidence that Hertz data or Hertz systems have been impacted at this time.”
“Out of an abundance of caution, we are continuing to actively monitor this matter with the support of our third-party cybersecurity partner,” Spencer added.
Christine Panayotou, a spokesperson for Linfox, an Australian logistics firm that Clop listed on its leak site, also disputed the gang’s claims, saying the company does not use Cleo software and has “not experienced a cyber incident involving its own systems.”
When asked if Linfox had data accessed due to a cyber incident involving a third-party, Panayotou did not respond.
Spokespeople for Arrow Electronics and Western Alliance Bank also told TechCrunch that they have found no evidence that their systems had been compromised.
Clop also listed the recently breached software supply chain giant Blue Yonder. The company, which confirmed a November ransomware attack, has not updated its cybersecurity incident page since December 12.
When last reached by TechCrunch, Blue Yonder spokesperson Marina Renneke confirmed on December 26 that the company “uses Cleo to support and manage certain file transfers” and that it was investigating any potential access, but added that the company has “no reason to believe the Cleo vulnerability is connected to the cybersecurity incident we experienced in November.” The company did not provide evidence for the claim, nor provide any more recent comment when reached this week.
When asked by TechCrunch, none of the companies that responded would say if they had the technical means, such as logs, to detect access or exfiltration of their data.
TechCrunch has not yet received responses from the other organizations listed on Clop’s leak site. Clop claims it will add more victim organizations to its dark web leak site on January 21.
It’s not yet known how many companies have been targeted, and Cleo — which itself has been listed as a victim of Clop — did not respond to TechCrunch’s questions.
