The prolific Clop ransomware gang has named several corporate victims it claims to have hacked in recent weeks after exploiting vulnerabilities in several business file transfer products developed by US software company Cleo.

In a post on its dark web leak site, seen by TechCrunch, the Russian-linked Clop gang listed 59 organizations it claimed had been breached by exploiting a high-risk bug in Cleo’s software tools.

The bug affects Cleo’s LexiCom, VLTransfer, and Harmony products. Cleo first disclosed the vulnerability in a security advisory back in October 2024 Security researchers observed hackers exploiting the vulnerability months after December.

Clop admitted in his post that it notified the organizations it had breached, but the victim organizations did not negotiate with the hackers. Clop threatened to publish the data it allegedly stole on January 18 unless its ransom demands were paid.

Business file transfer tools are a popular target for ransomware hackers – and Clop, in particular – given the sensitive data often stored on these systems. In recent years, ransomware gangs have been exploiting the vulnerabilities of Progress Software’s MOVEit Transfer productand later took credit for the mass exploitation of a vulnerability in Fortra’s GoAnywhere managed file transfer software.

Following the latest hacking spree, at least one company has confirmed an intrusion linked to Clop’s attacks on Cleo systems.

German manufacturing giant Covestro told TechCrunch that it had been contacted by Clop, and has since confirmed that the gang accessed some of the data stores on its systems.

“We have confirmed that there was unauthorized access to a logistics server in the US, which is used to exchange shipping information with our transportation providers,” Covestro spokesman Przemyslaw Jedrysik said in a statement. “In response, we are taking steps to ensure system integrity, improve security monitoring and proactively notify customers.

Jedrysik confirmed that “most of the information on the server is not sensitive,” but declined to say what types of data were accessed.

Other alleged victims who spoke to TechCrunch disputed Clop’s claims, saying they were not compromised as part of the gang’s latest mass-hacking campaign.

Emily Spencer, a spokeswoman for US car rental giant Hertz, said in a statement that the company was “aware” of Clop’s claims, but said there was “no evidence that the data of Hertz or Hertz systems are affected at this time.”

“Out of an abundance of caution, we continue to actively monitor this matter with the support of our third-party cybersecurity partners,” Spencer added.

Christine Panayotou, a spokeswoman for Linfox, an Australian logistics company listed by Clop on its leak site, also disputed the gang’s claims, saying the company does not use the Cleo software and “has not experienced a cyber incidents involving its own systems.”

When asked if Linfox had data accessed due to a cyber incident involving a third party, Panayotou did not respond.

Spokespeople for Arrow Electronics and Western Alliance Bank also told TechCrunch that they found no evidence that their systems were compromised.

Clop also listed the recently breached software supply chain giant Blue Yonder. The company, which confirmed the ransomware attack in November, has The cybersecurity incident page has not been updated since December 12.

When last reached by TechCrunch, Blue Yonder spokeswoman Marina Renneke confirmed on December 26 that the company “uses Cleo to support and manage some file transfers” and that it is investigating any possible access, but added that the company “has no reason to believe Cleo’s vulnerability is connected to the cybersecurity incident we experienced in November. The company did not provide evidence for the claim, nor did it provide any recent comment when reached this week.

When asked by TechCrunch, none of the companies that responded would say if they have technical means, such as logs, to determine access or exfiltration of their data.

TechCrunch has not yet received responses from the other organizations listed on Clop’s leak site. Clop claims that these organizations will add victims to the dark web leak site on January 21.

It’s not yet known how many companies have been targeted, and Cleo — which is itself listed as a victim of Clop — did not respond to TechCrunch’s questions.