Clop gang targets companies through Cleo software

Russian ransomware group says it will release stolen data over the weekend

The Clop ransomware group claims to have targeted many organisations in a new cyber campaign, exploiting a vulnerability in enterprise file transfer tools developed by the US software firm Cleo.

Clop is a Russian-linked hacking group that claimed responsibility for a massive attack affecting companies including BA, Boots and the BBC two years ago. That incident was through a breach at shared payment provider Zellis, and the new campaign appears similar.

Clop has claimed responsibility for breaching 59 companies by exploiting a critical flaw in a software supplier working with all the affected firms. It specifically points to flaws in Cleo’s LexiCom, VLTransfer and Harmony products. Cleo disclosed the vulnerability in an October 2024 security advisory, but attackers began mass exploiting the weakness by December.

Clop alleges it contacted the affected organisations but claims they refused to negotiate. The group has now threatened to release the stolen data on 18^th January if its ransom demands are not met.

Enterprise file transfer software is a frequent target for ransomware groups due to the sensitive data the systems handle. Clop, in particular, has a history of exploiting such vulnerabilities, previously attacking Progress Software’s MOVEit Transfer tool and Fortra’s GoAnywhere managed file transfer product.

At least one company has confirmed being impacted by the Cleo-related breach. German manufacturing giant Covestro admitted unauthorised access to a US logistics server it uses for sharing shipping information with transport providers.

As quoted by TechCrunch, Covestro spokesperson Przemyslaw Jedrysikt said the company had implemented measures to enhance system security and notify affected parties, emphasising that “most” of the accessed data was not highly sensitive.

However, other alleged victims have disputed Clop’s claims. Car rental company Hertz acknowledged its awareness of the group’s assertions, but said there was no evidence of a compromise. Similarly, Australian logistics firm Linfox denied using Cleo’s software or experiencing any related incidents.

Several other companies listed by Clop, including Arrow Electronics and Western Alliance Bank, reported no evidence of system breaches. Meanwhile, Blue Yonder, a supply chain software provider, noted it uses Cleo for certain file transfers but stated there was no indication the vulnerability was linked to its earlier ransomware attack in November.

Cleo itself, which Clop has also listed as a victim, has yet to respond to inquiries about the scope of the breach. Clop has threatened to add more companies to its leak site by 21^st January, leaving the full extent of the campaign unclear.

Want to know more? Computing 's Cybersecurity Festival returns to London in May, where senior IT decision makers can learn about modern challenges, compare strategies with peers, and source solutions. Click here to register for free.