Cl0p ransom gang says ‘contact us’ or we'll publish data of 59 Cleo victims


In a deja-vu of the MOVEit hacks, the Cl0p ransomware gang has threatened to publish the data of 59 companies it compromised in a December breach of the Cleo file transfer platform – unless those companies start engaging in ransom negotiations by Friday.

“We have data of many companies who use cleo. Our teams are reaching and calling your company and provide your special secret chat.” Cl0p wrote on its dark leak blog Wednesday.

“YOU HAVE UNTIL FRIDAY IF ALL THE DATA IS PUBLISHED AFTER THAT,” the group posted, along with a list of all the alleged victims “that were notified but ignored and did not contact us.”

ADVERTISEMENT
Cl0p Cleo hacks post 2
Cl0p leak site. image by Cybernews.

The Russian-linked cybercriminals, marking its publish date as Saturday, January 18th, also provided several email addresses for companies to contact if they were unsure the gang had stolen its data.

On top of the publish warning, another post announced it would ‘partially open and present a new part of the companies list’ the following Tuesday, January 21st, again urging its victims to contact the group to avoid being publicly named.

The statement implies that there are more compromised victims than the original 66 first posted by Cl0p in December.

Cl0p Cleo hacks post 2
Cl0p leak site. image by Cybernews.

Cl0p announced just before the new year that it had breached over 60 companies, taking advantage of two zero-day vulnerabilities in Cleo's file transfer software programs, including Cleo Harmony, Cleo VLTrader, and Cleo LexiCom.

Cleo hack victims posted on the Cl0p site include major companies and organizations such as Western Alliance Bank, Hertz, Chicago Public Schools, Nissin Foods (maker of Ramen Cup Noodles), and SDI Technologies (Timex, iHome), among others.

Blue Yonder, a leading supply chain software provider, with clients like Starbucks, BIC, and several major UK grocery chains, was the first victim to be outed by the ransomware cartel on its dark leak site on Christmas Eve, although the company has denied Cl0p was involved in its most recent November breach.

ADVERTISEMENT

Threat researchers at Google’s Mandiant traced the mass Cleo exploitation back to October, and also reported to have observed several backdoors being deployed on compromised systems. In its initial report, Mandiant stated there was no evidence of a large-scale exfiltration of data.

Cleo has since patched the vulnerabilities and has urged its over 4200 global clients to update to the latest versions of all Cleo software found on the company website.

Cl0p's moves appear to mimic its infamous Progress MOVEit and Fortra GoAnywhere file management software hacks. In the aftermath of those attacks, the gang also first released the names of its victims in dribs and drabs, eventually dropping 50 or 60 new victims all at once over several months, and used similar threat tactics to extort its ransom demands.

Paulina Okunyte Gintaras Radauskas vilius Niamh Ancell BW
Get our latest stories today on Google News

Taking place in 2023, the MOVEit attacks were reported to have impacted over 2,600 organizations and almost 90 million individuals, according to KonBriefing. In comparison, the GoAnywhere hacks only compromised roughly 130 organizations.

Cl0p is said to have made between $75 to $100 million from the MOVEit hacks alone.

ADVERTISEMENT