Clop Ransomware Strikes Again: Compromises 66 Companies

The Clop ransomware gang has claimed responsibility for a cyberattack that has compromised at least 66 companies by exploiting vulnerabilities in Cleo Software’s widely used file transfer tools. The gang revealed the partial names of the targeted organizations on its dark web portal, threatening to release the full names if ransom demands are not met.

Clop’s latest attack has once again demonstrated the critical security flaws in enterprise file-sharing platforms, many of which have become lucrative targets for ransomware gangs in recent years.

As we reported earlier, the attack revolves around a zero-day vulnerability, identified as CVE-2024-50623, in Cleo Software’s Harmony, VLTrader, and LexiCom tools, which are used by thousands of organizations globally for secure data transfers. Despite a patch released in October, the flaw remained exploitable.

Cybersecurity firm Huntress noted a sharp uptick in exploitation beginning in early December, highlighting how hackers used the vulnerability to establish remote access and conduct reconnaissance on affected networks.

With over 4,200 companies relying on Cleo products, including software developers and logistics firms, the scale of the potential damage could be vast.

Clop, a Russian-linked group with a history of targeting software vulnerabilities, is leveraging its usual tactic of extortion by pressuring victims to pay ransoms in exchange for not publishing stolen data. BleepingComputer reported that Clop provided secure chat links and email addresses for negotiation, warning companies of a 48-hour deadline before their full name is exposed on the dark web site.

This mirrors previous Clop operations, such as their attacks on the MOVEit and GoAnywhere platforms, which resulted in breaches affecting hundreds of organizations. We reported on one of these breaches last year, which targeted Community Health Systems and led to the theft of over 1 million patient records.