{
	"id": "7fcedbf2-303a-423c-a962-ca984c2ad654",
	"created_at": "2026-04-06T00:06:54.467215Z",
	"updated_at": "2026-04-10T13:12:32.107293Z",
	"deleted_at": null,
	"sha1_hash": "8020cc52d82eded40c74db5e1ce494773a0e771e",
	"title": "Clop ransomware gang begins extorting GoAnywhere zero-day victims",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1582225,
	"plain_text": "Clop ransomware gang begins extorting GoAnywhere zero-day victims\r\nBy Lawrence Abrams\r\nPublished: 2023-03-11 · Archived: 2026-04-05 18:47:33 UTC\r\nThe Clop ransomware gang has begun extorting companies whose data was stolen using a zero-day vulnerability in the\r\nFortra GoAnywhere MFT secure file-sharing solution.\r\nIn February, the GoAnywhere MFT file transfer solution developers warned customers that a zero-day remote code\r\nexecution vulnerability was being exploited on exposed administrative consoles.\r\nGoAnywhere is a secure web file transfer solution that allows companies to securely transfer encrypted files with their\r\npartners while keeping detailed audit logs of who accessed the files.\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-gang-begins-extorting-goanywhere-zero-day-victims/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-gang-begins-extorting-goanywhere-zero-day-victims/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nWhile no details were publicly shared on how the vulnerability was exploited, a proof-of-concept exploit was soon released,\r\nfollowed by a patch for the flaw.\r\nThe day after the release of the GoAnywhere patch, the Clop ransomware gang contacted BleepingComputer and said they\r\nwere responsible for the attacks.\r\nThe extortion group said they used the flaw over ten days to steal data from 130 companies. At the time, BleepingComputer\r\ncould not independently confirm these claims, and Fortra did not respond to our emails.\r\nSince then, two companies, Community Health Systems (CHS) and Hatch Bank, disclosed that data was stolen in the\r\nGoAnywhere MFT attacks.\r\nClop begins extorting GoAnywhere customers\r\nLast night, the Clop ransomware gang began publicly exploiting victims of the GoAnywhere attacks by adding seven new\r\ncompanies to their data leak site.\r\nOnly one of the victims, Hatch Bank, is publicly known to have been breached using the vulnerability. However,\r\nBleepingComputer has learned that at least two other listed companies had their data stolen using this flaw as well.\r\nThe entries on the data leak site all state that the release of data is \"coming soon\" but include screenshots of allegedly stolen\r\ndata.\r\nHatch Bank listed on Clop's data leak site\r\nSource: BleepingComputer\r\nFurthermore, BleepingComputer has been told that victims have begun to receive ransom demands from the ransomware\r\ngang.\r\nWhile it is unclear how much the threat actors are demanding, they had previously demanded $10 million in ransoms in\r\nsimilar attacks using an Accellion FTA zero-day vulnerability in December 2020.\r\nDuring these attacks, the extortion group stole large amounts of data from nearly 100 companies worldwide, with the threat\r\nactors slowly leaking data from companies while demanding million-dollar ransoms.\r\nOrganizations that had their Accellion servers hacked include, among others, energy giant Shell, cybersecurity firm\r\nQualys, supermarket giant Kroger, and multiple universities worldwide such as Stanford Medicine, University of Colorado,\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-gang-begins-extorting-goanywhere-zero-day-victims/\r\nPage 3 of 4\n\nUniversity of Miami, University of California, and the University of Maryland Baltimore (UMB).\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-begins-extorting-goanywhere-zero-day-victims/\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-gang-begins-extorting-goanywhere-zero-day-victims/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-begins-extorting-goanywhere-zero-day-victims/"
	],
	"report_names": [
		"clop-ransomware-gang-begins-extorting-goanywhere-zero-day-victims"
	],
	"threat_actors": [],
	"ts_created_at": 1775434014,
	"ts_updated_at": 1775826752,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8020cc52d82eded40c74db5e1ce494773a0e771e.pdf",
		"text": "https://archive.orkl.eu/8020cc52d82eded40c74db5e1ce494773a0e771e.txt",
		"img": "https://archive.orkl.eu/8020cc52d82eded40c74db5e1ce494773a0e771e.jpg"
	}
}