Full Report
The Clop ransomware gang (also known as Cl0p) is targeting Internet-exposed Gladinet CentreStack file servers in a new data theft extortion campaign. Gladinet CentreStack enables businesses to securely share files hosted on on-premises file servers through web browsers, mobile apps, and mapped drives without requiring a VPN. According to Gladinet, CentreStack "is used by thousands of businesses from over 49 countries."
Analysis Summary
# Threat Actor: Clop Ransomware Gang
## Attribution & Identity
- **Threat Actor:** Clop ransomware gang.
- **Known Aliases:** Cl0p.
- **Known Associations:** Currently no foreign government association is specified, though the U.S. Department of State is offering a $10 million reward for information linking the gang's attacks to a foreign government.
## Activity Summary
Clop is currently engaged in a new data theft extortion campaign specifically targeting **Internet-exposed Gladinet CentreStack file servers**. They are actively scanning for and breaching these servers, leaving ransom notes on compromised systems. This follows a long history of targeting file-sharing solutions for data exfiltration and extortion.
## Tactics, Techniques & Procedures
- **Data Exfiltration/Theft:** The core objective of the current campaign involves stealing sensitive files from victim servers.
- **Exploitation of Vulnerabilities:** Clop is exploiting an unknown vulnerability (CVE) in CentreStack systems, which could be a newly disclosed "n-day" flaw or a previously unpatched zero-day.
- **Extortion:** Leaving ransom notes on compromised servers indicates an extortion phase following data theft.
- **Data Publication:** After exfiltration, Clop publishes the stolen data on their dark web leak site and makes it available via Torrent.
*Note: Specific MITRE ATT&CK IDs are not provided in the source article.*
## Targeting
- **Sectors:** General businesses utilizing Gladinet CentreStack for secure file sharing.
- **Geography:** CentreStack is used globally, with customers reported in **over 49 countries**.
- **Victims:** The current campaign against CentreStack has potential targets estimated at **200+ unique IPs** exhibiting the "CentreStack - Login" HTTP Title, although specific named victims of the *CentreStack* campaign are not detailed. (Historical targets include Harvard University, The Washington Post, Logitech, etc., during the Oracle campaign).
## Tools & Infrastructure
- **Malware Families Used:** Clop ransomware (implied, as they are identified as the Clop ransomware gang).
- **Infrastructure:** Operates a **dark web leak site** for publishing stolen data.
- **Specific Vulnerabilities Exploited (Historical Context/Precedent):**
* Previously targeted flaws in Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer.
* Most recently exploited an Oracle EBS zero-day flaw (**CVE-2025-61882**).
## Implications
The campaign highlights Clop’s continued focus on exploiting vulnerabilities in widely used enterprise file transfer, management, and data-sharing solutions (Secure File Transfer Protocol/Managed File Transfer appliances). The exploitation of unknown vulnerabilities in CentreStack presents an immediate risk to thousands of organizations relying on this software. Their established pattern of data theft and public shaming implies a high likelihood of data exposure for compromised victims.
## Mitigations
- **Patch Management:** Immediately apply all security updates released by Gladinet since April to address previously disclosed flaws, as the current attack might utilize an older, unpatched vulnerability.
- **Vulnerability Management:** Strictly monitor for and prioritize patching any newly disclosed CVEs affecting Gladinet CentreStack.
- **Network Segmentation/Exposure:** Review external exposure of CentreStack servers and restrict Internet access where possible, limiting exposure to an unknown exploit.
- **Monitoring:** Monitor perimeter defenses for signs of unrecognized scanning matching characteristics of Clop's targeting methodology.