Clop Ransomware Targets Gladinet CentreStack in Data Theft Campaign

The Clop ransomware gang (aka Cl0p) has launched a new data theft extortion campaign targeting Internet‑exposed Gladinet CentreStack file servers, continuing its focus on secure file transfer and collaboration platforms.

What’s Happening

• Target: Gladinet CentreStack servers exposed online.
• Function of CentreStack: Enables businesses to share on‑premises file server data via browsers, mobile apps, and mapped drives without VPNs.
• Scale: Used by thousands of businesses across 49+ countries.
• Current activity:
  • Clop scanning for vulnerable servers.
  • Ransom notes left on compromised systems.
  • At least 200+ IPs identified with “CentreStack – Login” HTTP titles, making them potential targets.
• Exploit status: Unknown whether Clop is using a zero‑day or exploiting unpatched flaws already addressed by Gladinet.

Clop’s Attack History

• Past campaigns: Accellion FTA, GoAnywhere MFT, Cleo, MOVEit Transfer.
  • MOVEit breach alone impacted 2,770+ organizations worldwide.
• Recent activity: Exploited Oracle EBS zero‑day (CVE‑2025‑61882) in August 2025.
  • Victims included Harvard University, The Washington Post, GlobalLogic, University of Pennsylvania, Logitech, Envoy Air.
• Tactics:
  • Exfiltrate sensitive files.
  • Publish stolen data on Clop’s dark web leak site.
  • Distribute via Torrent for maximum exposure.

Geopolitical Context

• The U.S. Department of State is offering a $10 million reward for information linking Clop’s attacks to a foreign government.
• Clop is known for high‑impact extortion campaigns and targeting enterprise‑critical infrastructure.

Defensive Recommendations

• Patch immediately: Ensure all CentreStack servers are updated with Gladinet’s latest fixes.
• Restrict exposure: Avoid Internet‑facing deployments without layered defenses.
• Monitor logs: Look for unusual login attempts or ransom note artifacts.
• Threat hunting: Scan for Clop IoCs (domains, ransom note signatures, exfiltration patterns).
• Incident response readiness: Prepare for potential data theft scenarios, not just encryption.

Clop’s campaign against CentreStack underscores its consistent strategy of exploiting trusted file‑sharing platforms to maximize impact. The uncertainty around whether a zero‑day or unpatched bug is being used makes rapid patching and exposure reduction critical.