Cl0p doesn’t really hack organizations. They hack file transfer platforms. The math is simple: find one exploitable vulnerability in a widely deployed MFT product, and you don’t compromise one company; you compromise every company running that software simultaneously.
In late 2024, Cl0p ran that playbook against Cleo, a managed file transfer platform used across logistics, manufacturing, and finance. More than 200 organizations were posted to the group’s leak site in December 2024 alone. Western Alliance Bank lost the Social Security numbers, passport information, and financial account details of 21,899 customers. Hertz, Thrifty, and Dollar customers had their names, dates of birth, credit card numbers, and driver’s license information exfiltrated. Starbucks managers were manually calculating barista wages because their supply chain software, which ran on Cleo-dependent infrastructure, had gone dark.
This is the platform multiplier. One exploit, hundreds of victims. And Cleo wasn’t the first time.
Cl0p Has Done This Before
The Cleo attack wasn’t an improvisation. It was the third major iteration of an operation Cl0p has been refining for years. In 2021, they hit Accellion’s legacy file transfer appliance. In 2023, they turned the same playbook on Progress Software’s MOVEit Transfer, ultimately exposing more than 90 million individuals across 2,500 organizations: government agencies, financial institutions, healthcare systems, and insurers. In late 2024, they found two zero-day vulnerabilities in Cleo Harmony, VLTrader, and LexiCom (CVE-2024-50623 and CVE-2024-55956), and did it again.
The Cleo vulnerabilities allowed unauthenticated file uploads executed automatically through an autorun directory, and a second exploit deployed a Java backdoor called Malichus to enable persistent access and data exfiltration. According to Dragos’s 2025 Ransomware Surge report, attackers could gain administrator privileges and execute remote code without any authentication. Cl0p named over 60 victims on their leak site in January 2025, with supply chain and logistics companies accounting for roughly 20 percent of listed organizations — about seven times their share of ransomware victims across the broader threat landscape. By the time Cleo issued patches, Cl0p had already been inside victim networks for weeks.
What makes this pattern durable isn’t technical sophistication; it’s architectural logic. When thousands of organizations run the same file transfer platform, that platform becomes a high-value, centralized target. Compromising it once scales to hundreds of victims instantaneously. SaaS and broadly-deployed MFT vendors cannot meaningfully reduce that dynamic. Their business model requires keeping the platform open and accessible to all customers, which means keeping the doors open for attackers, too.
The Victims Weren’t Unlucky. They Were Exposed.
The organizations caught in the Cleo breach weren’t failing at security. Many had patched CVE-2024-50623 when it was first disclosed in October 2024. Cl0p came back with CVE-2024-55956, a second zero-day for which no patch yet existed.
That’s the nature of zero-day exploitation: the patch doesn’t exist at the moment of attack. Patching your file transfer platform is necessary, but if patching is your entire ransomware protection strategy, you’re defending against yesterday’s attack. The breach window on a zero-day is measured in hours, not maintenance cycles.
The organizations most exposed weren’t just running unpatched software. They were running an architecture in which the file transfer platform sat on the perimeter, provided a publicly accessible management interface, stored files in a centralized repository, and had broad access to the rest of the network. When Cl0p got in, they didn’t just get files. They got operational documents, engineering data, and the credentials needed to move deeper.
Western Alliance Bank’s exposure window ran from October 12 to October 24, 2024, a period during which attackers had access to the names, Social Security numbers, dates of birth, driver’s license numbers, passport information, financial account numbers, and tax identification numbers of nearly 22,000 customers. Hertz’s exposure spanned October through December. The data left in those environments during those windows is permanently gone.
What the Architecture Change Actually Looks Like
The answer to the platform multiplier problem isn’t a better-patched version of the same architecture. It’s an architecture that removes the shared target entirely.
SFTP Gateway deploys inside your own AWS, Azure, or Google Cloud environment, not on a shared vendor platform. It can be deployed as a virtual machine image or as a Docker container, depending on how your infrastructure is organized. Files are transferred directly from your trading partners’ SFTP clients to your cloud storage: your S3 bucket, your Azure Blob Storage, or your Google Cloud Storage. The data never passes through Thorn’s infrastructure. Thorn has no access to your files, your credentials, or your network.
This fundamentally changes the threat calculus. There is no shared platform for Cl0p to target at scale. A vulnerability discovered in another customer’s environment has no architectural path to yours. If a threat is detected, your team controls the response, including immediately restricting all inbound access, without waiting on a vendor’s incident response timeline. You’re not in the risk pool that makes MFT platforms attractive targets.
Because SFTP Gateway runs as a dedicated deployment inside your own cloud environment, and not on a shared platform alongside thousands of other tenants, your security team has direct control over every layer of the stack. You set the network boundaries, define the access policies, and configure the monitoring thresholds. If something looks wrong, you respond immediately on your own terms rather than waiting on a vendor’s incident response timeline.
Every transfer, every authentication event, and every access attempt is logged directly to your existing cloud observability infrastructure (AWS CloudTrail, Azure Monitor, or Google Cloud Logging) in a format your security team can query immediately, not reconstruct after a breach notification letter arrives. That’s the real advantage of dedicated, self-hosted architecture: not that the software is immune to vulnerabilities, but that when something goes wrong, your team is already at the wheel.
For organizations still running legacy EDI or mainframe workflows that depend on older MFT infrastructure, StorageLink bridges the gap: modern encryption, compliance logging, and cloud-native architecture without forcing a costly rip-and-replace of core systems.
What Changes When the Architecture Is Right
The compliance posture shift is immediate. HIPAA, PCI DSS, SOC 2, and GDPR all require demonstrable controls over the environments where sensitive data moves. When your file transfer infrastructure lives inside your own cloud account, you can demonstrate those controls directly — your audit logs, your access policies, your encryption configuration — rather than relying on a vendor’s attestation about their own practices. When regulators ask who accessed which files and when, the answer is in your own logging infrastructure, not in a support ticket to a third party.
The cost shift is also significant. Traditional enterprise MFT licensing runs $10,000 to $65,000 annually for mid-sized organizations, before infrastructure, integration work, and professional services. SFTP Gateway starts at $999 per year for up to 10 users, $2,999 for up to 100 users, and has enterprise-level plans for 1,000 or more users.
According to the IBM Cost of a Data Breach Report 2024, the average breach now costs $4.88 million, a 10% year-over-year increase. Against that number, the cost of replacing legacy MFT infrastructure looks different. Organizations migrating off legacy MFT consistently report cost reductions of 60 to 80 percent in year one, not because they’re trading down in capability, but because they’re no longer paying for architecture that was never designed for the threat environment they’re actually operating in.
The performance difference is categorically different, too. Shared SaaS platforms throttle throughput to balance traffic across thousands of customers. When your file transfer infrastructure connects directly to the cloud storage you own, it runs on the unthrottled backbone of AWS or Azure, with no intermediaries.
The Real Question After Cleo
Three major MFT platforms in four years. MOVEit, GoAnywhere, Cleo. Each time, Cl0p found a zero-day in widely deployed file-transfer infrastructure and used it to breach hundreds of organizations that had no individual security failures — they were simply running the same software as everyone else.
That’s not a patching problem. That’s a target problem.
The organizations that came through those breaches without incident weren’t more diligent about CVE tracking. They were running architectures that aren’t in the risk pool: self-hosted, isolated deployments with no shared infrastructure to exploit at scale. The question worth asking before your next MFT renewal isn’t whether your vendor has a good security track record. It’s whether your vendor’s platform is the kind of target Cl0p builds operations around.
Schedule a demo to see exactly how SFTP Gateway and StorageLink deploy in your environment, and what it takes to get off shared MFT infrastructure for good.
For more on how organizations are modernizing their file transfer infrastructure, subscribe to the Thorn Technologies YouTube channel.
About Thorn Technologies
Thorn Technologies specializes in cloud-native file transfer solutions for enterprises transitioning away from legacy MFT systems. Our SFTP Gateway and StorageLink products serve organizations worldwide, delivering the security and reliability of traditional managed file transfer solutions with the flexibility and cost efficiency of modern cloud infrastructure.
