{
	"id": "74f73239-96a8-4126-a2d6-c2857946c025",
	"created_at": "2026-04-06T00:11:05.288249Z",
	"updated_at": "2026-04-10T03:19:56.891202Z",
	"deleted_at": null,
	"sha1_hash": "b6e82867bf40e6f3bb37e4f454b425825fd25170",
	"title": "Clop ransomware is now extorting 66 Cleo data-theft victims",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2396496,
	"plain_text": "Clop ransomware is now extorting 66 Cleo data-theft victims\r\nBy Bill Toulas\r\nPublished: 2024-12-24 · Archived: 2026-04-05 13:05:19 UTC\r\nThe Clop ransomware gang started to extort victims of its Cleo data theft attacks and announced on its dark web portal that\r\n66 companies have 48 hours to respond to the demands.\r\nThe cybercriminals announced that they are contacting those companies directly to provide links to a secure chat channel for\r\nconducting ransom payment negotiations. They also provided email addresses where victims can reach out themselves.\r\nIn the notification on their leak site, Clop lists 66 partial names of companies that did not engage the hackers for\r\nnegotiations. If these companies continue to ignore, Clop threatens to disclose their full name in 48 hours.\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-is-now-extorting-66-cleo-data-theft-victims/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-is-now-extorting-66-cleo-data-theft-victims/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nSource: BleepingComputer\r\nThe hackers note that the list represents only victims that have been contacted but did not respond to the message,\r\nsuggesting that the list of affected companies may be larger.\r\nClop achieves another major breach\r\nThe Cleo data theft attack represents another major success for Clop, who leveraged leveraging a zero-day vulnerability in\r\nCleo LexiCom, VLTransfer, and Harmony products to steal data from the networks of breached companies.\r\nIn the past, Clop ransomware accessed company networks by exploiting zero-day vulnerabilities in Accellion FTA secure\r\nfile transfer platform, GoAnywhere MFT platform, and MOVEit Transfer platform.\r\nThe gang is also responsible for another hacking spree targeting companies running the SolarWinds Serv-U FTP software.\r\nThe zero-day flaw exploited this time is now tracked as CVE-2024-50623 and it allows a remote attacker to perform\r\nunrestricted file uploads and downloads, leading to remote code execution.\r\nA fix is available for Cleo Harmony, VLTrader, and LexiCom version 5.8.0.21 and the vendor warned in a private advisory\r\nthat hackers were exploiting it to open reverse shells on compromised networks.\r\nEarlier this month, Huntress publicly disclosed that the vulnerability was actively exploited and sounded the alarm that the\r\nvendor’s fix could be bypassed. The researchers also provided a proof-of-concept (PoC) exploit to demonstrate their\r\nfindings.\r\nA few days later, Clop ransomware confirmed to BleepingComputer that it was responsible for exploiting CVE-2024-50623.\r\nThe infamous ransomware group declared that data from previous attacks will now be deleted from its platform as it focuses\r\non the new extortion round.\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-is-now-extorting-66-cleo-data-theft-victims/\r\nPage 3 of 4\n\nIn an email to BleepingComputer, Macnica researcher Yutaka Sejiyama said that even with the incomplete company names\r\nthat Clop published on its data leak site, it is possible to identify some of the victims by simply cross checking the hacker's\r\nhints with owners of Cleo servers exposed on the public web.\r\nAt this time, it is unknown how many companies have been compromised by Clop’s latest attack wave, but Cleo claims that\r\nits software is used by more than 4,000 organizations worldwide.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/clop-ransomware-is-now-extorting-66-cleo-data-theft-victims/\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-is-now-extorting-66-cleo-data-theft-victims/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/clop-ransomware-is-now-extorting-66-cleo-data-theft-victims/"
	],
	"report_names": [
		"clop-ransomware-is-now-extorting-66-cleo-data-theft-victims"
	],
	"threat_actors": [],
	"ts_created_at": 1775434265,
	"ts_updated_at": 1775791196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b6e82867bf40e6f3bb37e4f454b425825fd25170.pdf",
		"text": "https://archive.orkl.eu/b6e82867bf40e6f3bb37e4f454b425825fd25170.txt",
		"img": "https://archive.orkl.eu/b6e82867bf40e6f3bb37e4f454b425825fd25170.jpg"
	}
}