Cl0p, the notorious ransomware gang with ties to Russia, claims to have published a large volume of files belonging to Rackspace Technology, a major US-based cloud storage company.
This data breach, involving the exfiltration of sensitive data, occurred after Rackspace allegedly refused to comply with Cl0p’s ransom demands.
The publication of stolen data took place on their dark web leak site, highlighting the ongoing threat posed by sophisticated ransomware actors targeting enterprise security and cloud security infrastructure.
Cl0p’s Announcement and Rackspace’s Response
Cl0p’s announcement on their leak site stated: “DEAR COMPANIES. Below you can find a list of companies that were notified but ignored and did not contact us,” followed by three email addresses for victims to contact them.
In bold red capital letters, they declared: “RACKSPACE.COM FULL FILES PUBLISHED VIA TOR.” Rackspace, boasting an annual revenue of $2.8 billion and serving nearly 600,000 companies, many in the US retail sector, has yet to publicly comment on the alleged data breach. Cybernews has reached out for comment but is awaiting a response.
This isn’t Rackspace’s first encounter with ransomware. In December 2022, the Play ransomware group breached their hosted exchange email environment using an unknown exploit.
Rackspace operates globally, with approximately 8,000 employees and data centers across multiple countries, including the US, Canada, India, and several European and Asian locations. Cl0p ransomware gang alleges Rackspace “doesn’t care about its customers, it ignored their security!!!”
The leak site shows six separate file downloads, though the exact number of files, data size, and type of information remains unconfirmed. This incident underscores the critical need for robust cloud security measures to protect against increasingly sophisticated threat actors.
Extensive List of Cleo Victims Also Revealed: A Pattern of Attacks on File Transfer Software
Beyond the Rackspace breach, Cl0p’s leak site also lists approximately 170 other companies, seemingly victims of a separate hacking spree exploiting zero-day vulnerabilities in Cleo’s file transfer software (Cleo Harmony, Cleo VLTrader, and Cleo LexiCom).
This attack, along with previous breaches targeting MOVEit and Fortra GoAnywhere file management software, reveals a disturbing pattern of ransomware attacks exploiting vulnerabilities in popular file transfer applications.
Prominent names on this list include Home Depot (Mexico), though they have denied involvement, along with Lolly Togs, Nature Sweet, Petmate, Simple Human, and VS Logistics.
Cl0p started leaking data from these Cleo hacks shortly before the New Year. Dozens of companies have since been listed as having their data published.
Blue Yonder, a supply chain software provider with clients like Starbucks and BIC, was among the first victims listed, although they also denied Cl0p’s involvement in their November breach. Other notable victims listed include Western Alliance Bank, Hertz, Chicago Public Schools, Nissin Foods, and SDI Technologies.
Mandiant, a Google-owned threat intelligence firm, traced the mass Cleo exploitation back to October 2024, noting the deployment of several backdoors on compromised systems.
Cl0p’s History of Large-Scale Attacks and the Ongoing Threat
Cl0p ransomware group is infamous for its involvement in the 2023 MOVEit and Fortra GoAnywhere file management software hacks. The MOVEit breach was one of history’s largest hacking campaigns, affecting over 2,600 organizations and nearly 90 million individuals.
Estimates suggest Cl0p earned 75millionto75 million to 75millionto100 million from the MOVEit hacks alone. This latest attack on Rackspace and the numerous Cleo victims underscores the ongoing threat posed by this sophisticated ransomware gang and the critical need for enhanced enterprise security practices.
Helpful Reads:
