Pierluigi Paganini March 30, 2025

The Walmart-owned membership warehouse club chain Sam’s Club is investigating claims of a Cl0p ransomware security breach.

Sam’s Club is a membership warehouse club chain in the United States, owned by Walmart. Founded in 1983 by Sam Walton, Walmart’s founder, as Sam’s Wholesale Club, it was renamed Sam’s Club in 1990. These stores operate on a bulk retail model, offering members discounted prices on a wide range of products, including electronics, clothing, food, and household items. Sam’s Club reported $86 billion in net sales for fiscal year 2024, with a revenue growth of 2.2% compared to the previous year. This represents a significant portion of Walmart’s overall earnings, as Sam’s Club accounts for about 13% of Walmart’s consolidated net sales.

This week, Cl0p ransomware group listed Sam’s Club among the victims of its December Cleo software exploit, accusing it of ignoring security. The ransomware gang did not leak the alleged stolen data as proof of the data breach.

The company announced that it is investigating claims of a Clop ransomware breach, but has seen no evidence of a breach.

“We are aware of reports regarding a potential security incident and are actively investigating the matter,” a company spokesperson told BleepingComputer. “Protecting the privacy and security of our members’ information is a top priority at Sam’s Club. We take these concerns seriously and will communicate further as appropriate.”

Ransomware gang Cl0p leaked files from Rackspace Technology and listed ~170 companies allegedly hacked via zero-day vulnerabilities in Cleo’s file-transfer software. Victims include Petmate, and Simple Human. Cl0p began leaking data in late December, with supply chain firm Blue Yonder among the first named, despite denying Cl0p caused its November breach. Many companies are still investigating the alleged data breach.

In January, the Clop ransomware group added 59 new companies to its leak site, the gang claimed to have breached them by exploiting a vulnerability ​​in Cleo file transfer products. 

“We have data of many companies who use cleo. Our teams are reaching and calling your company and provide your special secret chat.
If you are not sure if we have your data.
emails us here” reads the Cl0p announcement published on its Tor leak site.

In December 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability CVE-2024-50623 (CVSS score 8.8), which impacts multiple Cleo products to its Known Exploited Vulnerabilities (KEV) catalog.

“Cleo has identified an unrestricted file upload and download vulnerability (CVE-2024-50623) that could lead to remote code execution.” reads the advisory. “Cleo strongly advises all customers to immediately upgrade instances of Harmony, VLTrader, and LexiCom to the latest released patch (version 5.8.0.21) to address additional discovered potential attack vectors of the vulnerability. ”

The vulnerability affects the following products LexiCom before version 5.8.0.21, Harmony prior to version 5.8.0.21, and VLTrader prior to version 5.8.0.21.

On December 9, reports of active exploitation targeting Cleo file transfer software began circulating among cybersecurity community. Security firm Huntress publicly disclosed ongoing exploitation involving three different Cleo products.

“On December 3, Huntress identified an emerging threat involving Cleo’s LexiCom, VLTransfer, and Harmony software, commonly used to manage file transfers.” reads the post published by Huntress. “We’ve directly observed evidence of threat actors exploiting this software en masse and performing post-exploitation activity.”

Huntress researchers created a proof of concept and learned the patch does not mitigate the software flaw. The experts warned that fully patched systems running 5.8.0.21 are still exploitable.

In January, the Clop ransomware group claimed to have contacted the breached organizations, but they ignored ransom negotiations so the gang threatens to publish stolen data on January 18, 2025.

Some of the organizations listed by the Clop ransomware group have disputed the gang’s claims and denied they were compromised.

Clop group already targeted enterprise file transfer software in the past, a large-scale hacking campaign exploited vulnerabilities in MOVEit Transfer and GoAnywhere.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)