Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
The sprawling Klopp ransomware gang has named dozens of corporate victims it claims to have hacked in recent weeks after exploiting a vulnerability in several enterprise popular file transfer products made by US software company Clio.
In a post on its dark web leak site seen by TechCrunch, the Russia-linked Klopp gang listed 59 companies it claims breached by exploiting a high-risk bug in Clio’s software tools.
The flaw affects Cleor Lexicom, VLT Transfer and Harmony products. Cleo previously first disclosed the vulnerability in an October 2024 security advisory Security researchers found hackers exploiting the vulnerability months later in December.
Klopp claimed in his post that it had notified the breached companies, but that the victim companies had not negotiated with the hackers. Klopp is threatening to release the stolen data on January 18 unless his ransom demands are paid.
Enterprise file transfer tools are a popular target among ransomware hackers – and Klopp, in particular – given the sensitive data often stored on these systems. In recent years, ransomware gangs have exploited vulnerabilities before Progress Software’s MOVEit migration productand take credit later Extensive exploitation of a vulnerability in Fortra’s GoAnywhere Managed file transfer software.
Following its most recent hacking spree, at least one company has confirmed a breach linked to Klopp’s attack on Clio systems.
German manufacturing giant Questro told TechCrunch that it contacted Klopp and has since confirmed that the gang accessed certain data stores on its systems.
“We have confirmed that there was unauthorized access to a US logistics server, which is used to exchange shipping information with our transportation providers,” Covestro spokeswoman Przemysla Jedricic said in a statement. “In response, we have taken measures to ensure system integrity, increase security monitoring and proactively notify customers.
Jedricic confirmed that “most of the information on the server was not of a sensitive nature,” but declined to say what kind of data was accessed.
Other alleged victims TechCrunch spoke to disputed Klopp’s claims, saying they were not compromised as part of the gang’s latest mass hacking campaign.
Emily Spencer, a spokeswoman for US car rental giant Hertz, said in a statement that the company was “aware of Klopp’s claims,” ​​but said there was “no evidence at this time that Hertz data or Hertz systems were affected.”
“Out of an abundance of caution, we continue to actively monitor this matter with the support of our third-party cybersecurity partners,” Spencer added.
Christine Panayiotou, a spokeswoman for Linfox, an Australian logistics firm listed on Klopp’s leak site, also disputed the gang’s claims, saying the company does not use Clio software and “has not experienced a cyber incident involving its own systems.”
Asked if Linfox accessed the data due to a cyber incident involving a third party, Panayotou did not respond.
Spokespeople for Arrow Electronics and Western Alliance Bank also told TechCrunch that they had no evidence that their systems had been compromised.
Also listed is Klopp Software supply chain giant Blue Yonder recently suffered a breach. The company, which confirmed the ransomware attack in November Its cybersecurity incident page has not been updated From December 12.
When last reached by TechCrunch, Blue Yonder spokeswoman Marina Renecke confirmed on Dec. 26 that the company “uses Clio to support and manage certain file transfers” and that it was investigating any potential access, but added that the company had “no reason to believe” The Clio vulnerability is linked to the cybersecurity incident we experienced in November. The company did not provide evidence for the claim, or provide any recent comment when reached this week.
When asked by TechCrunch, none of the companies that responded would say whether they had technical means to access or exfiltrate their data, such as logs.
TechCrunch has yet to hear back from other companies listed on Klopp’s leak site. Klopp claims it will add more victim organizations to its dark web leak site on January 21.
It’s not yet known how many companies have been targeted, and Clio – which is itself listed as a victim of Klopp – did not respond to TechCrunch’s queries.
