The prolific Clop ransomware gang has released a list of dozens of corporate victims it claims to have carried out hacks in recent weeks by exploiting vulnerabilities in several popular enterprise file transfer products developed by US software company Cleo.

In a post on its dark web leak site seen by TechCrunch, the Russia-linked Clop gang listed 59 organizations it claimed to have compromised by exploiting high-risk vulnerabilities in Cleo software tools.

The flaw affects Cleo's LexiCom, VLTransfer and Harmony products. Cleo first disclosed the vulnerability in an October 2024 security advisory, and a few months later, security researchers observed hackers exploiting the vulnerability at scale.

Clop claimed in the post that it notified the compromised organization, but that the victim organization did not negotiate with the hackers. Clop threatened to release the data it allegedly stole on January 18 unless a ransom was paid.

Enterprise file transfer tools are popular targets for ransomware hackers, especially Clop, because sensitive data is often stored in these systems. In recent years, the ransomware gang has previously exploited vulnerabilities in Progress Software's MOVEit Transfer product, and was later credited with large-scale exploitation of vulnerabilities in Fortra's GoAnywhere hosted file transfer software.

Following the latest hack, at least one company has confirmed intrusions related to Clop's attack on Cleo systems.

German manufacturing giant Covestro told TechCrunch that Clop had contacted the company and confirmed that the gang had accessed certain data storage on its systems.

"We confirm that there was unauthorized access to a U.S. logistics server used to exchange shipping information with our shipping providers," Covestro spokesman Przemyslaw Jedrysik said in a statement. "In response, we have taken steps Measures to ensure system integrity, enhance security monitoring and proactively notify customers.

Jedrysik confirmed that "much of the information contained on the server was not considered sensitive," but declined to say what types of data were accessed.

Other victims TechCrunch spoke to disputed Clop's claims and said they were not compromised in the gang's latest massive hacking campaign.

Emily Spencer, a spokesperson for U.S. car rental giant Hertz, said in a statement that the company was "aware" of Klopp's claims, but said there was "currently no evidence that Hertz data or Hertz systems have been compromised." Influence".

"Out of an abundance of caution, we will continue to actively monitor this matter with the support of our third-party cybersecurity partners," Spencer added.

Christine Panayotou, a spokesperson for Linfox, the Australian logistics company listed on Clop's leak site, also disputed the gang's claims, saying the company does not use Cleo software and has "not experienced a cyber incident involving its own systems."

Panayotou did not respond when asked whether Linfox's data had been accessed as a result of the cyber incident involving a third party.

Spokespeople for Arrow Electronics and Western Alliance Bank also told TechCrunch they had found no evidence that their systems had been compromised.

Clop also listed software supply chain giant Blue Yonder, which was recently compromised. The company confirmed the ransomware attack in November but has not updated its cybersecurity incident page since December 12.

When TechCrunch last contacted Blue Yonder, Blue Yonder spokesperson Marina Renneke confirmed on December 26 that the company "uses Cleo to support and manage certain file transfers" and was investigating any potential access, but added , the company has "no reason to believe that the Cleo vulnerability is related to the cybersecurity incident we experienced in November." The company did not provide evidence to support this claim, nor did it provide any updated comments made this week.

When asked by TechCrunch, none of the companies that responded said whether they had technical means, such as logs, to detect access or leaks of data.

TechCrunch has not yet received responses from the other organizations listed on Clop's leaked website. Clop claims to be adding more victim groups to its darknet leak site on January 21st.

It's unclear how many companies were targeted, and Cleo itself was listed as a victim of Clop but did not respond to TechCrunch's questions.