The Clop ransomware group has listed 66 companies it claims to have breached using a vulnerability in Cleo Software’s file transfer tools. The gang has given the targeted organisations 48 hours to respond to ransom demands or face public exposure. Clop revealed this ultimatum on its dark web portal, naming companies that have not engaged in negotiations, according to a report in BleepingComputer. The gang warned that the full identities of the organisations will be disclosed if the deadline is ignored.

The attack stems from a zero-day vulnerability, CVE-2024-50623, found in Cleo’s Harmony, VLTransfer, and LexiCom products. This flaw allows unrestricted file uploads and downloads, enabling attackers to infiltrate corporate networks and execute remote commands. Cleo has issued patches to address the vulnerability, urging clients to update their systems to mitigate further risks.

Clop has reportedly contacted affected organisations directly, providing secure links and email addresses for negotiations. The group suggested that the list of 66 companies represents only those who have not responded, hinting that the total number of victims may be higher.

Exploiting critical software vulnerabilities

The vulnerability was first disclosed earlier this month by Huntress, a cybersecurity research firm, which confirmed active exploitation of the flaw. Huntress demonstrated a proof-of-concept exploit and reported that attackers had used it to open reverse shells, bypassing security defences on affected networks.

Cleo’s software, utilised by over 4,000 organisations worldwide, is a popular tool for secure file transfers, amplifying the potential scale of this breach. While patches have been issued, cybersecurity experts have raised concerns about their ability to fully prevent exploitation.

This incident follows Clop’s ongoing strategy of targeting vulnerabilities in widely used corporate systems. The group has previously exploited flaws in platforms like Accellion FTA, GoAnywhere MFT, and MOVEit Transfer. It has also been linked to attacks on SolarWinds Serv-U FTP software, demonstrating a consistent focus on compromising critical infrastructure.

Clop stated in its latest announcement that it has purged data from previous attacks as it focuses on its current campaign. By directly communicating with victims and publishing partial company names, the group is employing heightened pressure tactics to secure ransom payments.

The disclosure of partial names of affected companies places additional pressure on organisations to negotiate with the ransomware group. Failure to comply could result in reputational damage alongside operational and financial fallout. For businesses using Cleo’s software, the breach underscores the importance of timely updates and enhanced security measures to prevent similar incidents.

Read more: Cleo releases critical patch for zero-day vulnerability amid active exploitation