The prolific Clop ransomware gang has claimed to have hacked dozens of corporate victims in recent weeks, exploiting a vulnerability in several popular file transfer products developed by U.S. software company Cleo. In a post on its dark web leak site, seen by TechCrunch, the Russia-linked Clop gang listed 59 organizations it claims to have breached by exploiting the high-risk bug in Cleo's software tools.

The flaw affects Cleo's LexiCom, VLTransfer, and Harmony products, which were first disclosed in an October 2024 security advisory. However, security researchers observed hackers mass exploiting the vulnerability months later in December. This is not the first time Clop has targeted enterprise file transfer tools, having previously exploited vulnerabilities in Progress Software's MOVEit Transfer product and Fortra's GoAnywhere managed file transfer software.

Clop claimed in its post that it notified the organizations it breached, but that the victim organizations did not negotiate with the hackers. The gang is now threatening to publish the data it allegedly stole on January 18 unless its ransom demands are paid. At least one company, German manufacturing giant Covestro, has confirmed an intrusion linked to Clop's attacks on Cleo systems. Covestro spokesperson Przemyslaw Jedrysik stated that the gang accessed certain data stores on its systems, but the majority of the information contained on the server was not of a sensitive nature.

Other alleged victims that TechCrunch has spoken with have disputed Clop's claims, saying they were not compromised as part of the gang's latest mass-hack campaign. U.S. car rental giant Hertz, Australian logistics firm Linfox, Arrow Electronics, and Western Alliance Bank have all denied being impacted by the attack. However, when asked if they had the technical means to detect access or exfiltration of their data, none of the companies would provide a clear answer.

Clop also listed the recently breached software supply chain giant Blue Yonder, which confirmed a November ransomware attack. Blue Yonder spokesperson Marina Renneke stated that the company uses Cleo to support and manage certain file transfers and is investigating any potential access. However, the company has not provided evidence to support its claim that the Cleo vulnerability is not connected to the cybersecurity incident it experienced in November.

The full extent of the attack remains unclear, with Cleo itself listed as a victim of Clop. The company did not respond to TechCrunch's questions, leaving many questions unanswered. As the situation unfolds, it is essential for organizations to remain vigilant and take proactive measures to ensure system integrity and enhance security monitoring.

The Clop ransomware gang's latest campaign highlights the importance of timely patching and vulnerability management. With the gang threatening to add more victim organizations to its dark web leak site on January 21, the coming days will be crucial in determining the true scope of the attack and the effectiveness of the affected companies' response.