Clop Ransomware operators plunder US universities

Pierluigi Paganini April 04, 2021

Clop ransomware gang leaked online data stolen from Stanford Medicine, University of Maryland Baltimore, and the University of California.

Clop ransomware operators have leaked the personal and financial information stolen from Stanford Medicine, University of Maryland Baltimore (UMB), and the University of California..

Data were stolen by the ransomware gang by compromising the Accellion File Transfer Appliance (FTA) application used by the universities to share information.

Recently multiple universities were hit by CLOP operators, experts speculate all the the attacks are linked to Accellion security breach.

The University told DataBreaches.net that hackers had accessed a limited number of files in its system containing some personally identifiable information.

“In late December, CLOP breached the security of our Accellion file transfer system. This system was used by our students, faculty, and staff to transfer encrypted files. We discovered the breach earlier this week, when the hackers posted evidence that they had accessed a limited number of files in our system containing some personally identifiable information.” said UMD representative Alex Likowski.

The same ransomware gang also breached the Accellion server used by Stanford Medicine at the Stanford University.

“Hackers have leaked stolen data belonging to members of the Stanford community — including Social Security numbers, addresses, emails, family members and financial information — after obtaining the data from a compromised file transfer system used by the Stanford University.” reads the statement published bythe Stanford University.

“The leaked Stanford data is part of a massive data breach affecting numerous businesses and universities that targeted a widely-used file transfer service, Accellion, used by the University.”

In February, security experts from FireEye linked a series of cyber attacks against organizations running Accellion File Transfer Appliance (FTA) servers to the cybercrime group UNC2546, aka FIN11.

The wave of attacks began in mid-December 2020, threat actors exploited multiple zero-day vulnerabilities in the Accellion File Transfer Appliance (FTA) software to deploy a shell dubbed DEWMODE on the target networks.

The attackers exfiltrate sensitive data from the target systems and then published it on the CLOP ransomware gang’s leak site.

It has been estimated that the group has targeted approximately 100 companies across the world between December and January.

FireEye pointed out that despite FIN11 hackers are publishing data from Accellion FTA customers on the Clop ransomware leak site, they did not encrypt systems on the compromised networks.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Clop ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini July 20, 2025

Singapore warns China-linked group UNC3886 targets its critical infrastructure

Pierluigi Paganini July 03, 2025