Clop ransomware gang names dozens of victims hit by Cleo mass hack, but many companies dispute breaches

The prolific Clop ransomware gang has named dozens of corporate victims it claims to have hacked in recent weeks after exploiting a vulnerability in several enterprise file transfer products developed by US software company Cleo.

In a post on its dark web leak site, seen by TechCrunch, the Russia-linked Clop gang listed 59 organizations it claims to have breached by exploiting high-risk bugs in Cleo’s software tools.

The defect affects Cleo’s LexiCom, VLTransfer and Harmony products. Cleo first disclosed the vulnerability in an October 2024 security advisory earlier security researchers observed mass hackers exploiting the vulnerability months later in December.

Clop stated in his post that he notified the organizations that he breached, but that the victim organizations did not negotiate with the hackers. Clop threatens to publish the data he allegedly stole on January 18 unless his ransom demands are paid.

Enterprise file transfer tools are a popular target among ransomware hackers – and Clop, in particular – given the sensitive data often stored on these systems. In recent years, the ransomware gang has previously exploited vulnerabilities Progress Software’s MOVEit Transfer productand then he took the credit the mass exploitation of a vulnerability in Fortra’s GoAnywhere managed file transfer software.

After their most recent hack, at least one company has confirmed an intrusion related to Clop’s attacks on Cleo systems.

German manufacturing giant Covestro told TechCrunch that it had been contacted by Clop, and confirmed that the gang accessed some data stores on its systems.

“We have confirmed that there was unauthorized access to a US logistics server, which is used to exchange shipping information with our transport providers,” Covestro spokesman Przemyslaw Jedrysik said in a statement. “In response, we have taken measures to ensure system integrity, strengthen security monitoring and proactively notify customers.

Jedrysik confirmed that “most of the information contained on the server was not of a sensitive nature,” but declined to say what types of data were accessed.

Other alleged victims TechCrunch spoke with disputed Clop’s claims, saying they were not compromised as part of the gang’s latest mass hacking campaign.

Emily Spencer, a spokeswoman for US car rental giant Hertz, said in a statement that the company is “aware” of Clop’s claims, but said there is “no evidence that Hertz data or systems Hertz were affected at this time.”

“Out of an abundance of caution, we continue to actively monitor this matter with the support of our third-party cybersecurity partner,” Spencer added.

Christine Panayotou, a spokeswoman for Linfox, an Australian logistics company that Clop listed on his leak site, also disputed the gang’s claims, saying the company does not use the Cleo software and “has not experienced a cyber incident involving its own systems.”

When asked if Linfox had access to data due to a cyber incident involving a third party, Panayotou did not respond.

Spokespeople for Arrow Electronics and Western Alliance Bank also told TechCrunch that they found no evidence that their systems were compromised.

Clop also listed recently breached software supply chain giant Blue Yonder. The company, which confirmed a November ransomware attack, has has not updated its cybersecurity incident page since December 12.

When TechCrunch last reached out, Blue Yonder spokeswoman Marina Renneke confirmed on December 26 that the company “uses Cleo to support and manage certain file transfers” and that it was investigating any potential access, but added that the company has “no reason to believe that Cleo’s vulnerability is connected to the cyber security incident we had in November”. The company did not provide evidence for the claim, nor did it provide any more recent comment when reached this week.

When asked by TechCrunch, none of the responding companies would say if they had technical means, such as logs, to detect access or exfiltration of their data.

TechCrunch has yet to receive responses from the other organizations listed on Clop’s leak site. Clop says he will add more victims’ organizations to his dark web filtering site on January 21.

It’s not known how many companies were targeted, and Cleo — which itself has been listed as a victim of Clop — did not respond to TechCrunch’s inquiries.