Cyber Incident Victim: Volaris

On March 23, 2023, the Cl0p ransomware gang listed Mexican airline Volaris among approximately 30 new victims added to their dark web leak site during a coordinated spree. This occurred alongside high-profile entities including Toronto Municipality, US-based Gray Television, and Virgin Group’s rewards program Virgin Red. The gang’s leak site typically publishes victim names alongside unverified claims about stolen data and corporate revenues to pressure organizations into paying ransoms. Cl0p’s resurgence followed a brief operational pause after law enforcement arrested several affiliates in late 2021, with the group reactivating its extortion campaign earlier in March 2023. No specific details regarding the scope of Volaris’s incident—such as data types compromised, operational disruptions, or ransom demands—were disclosed in available reports.

The broader Cl0p campaign exploited a zero-day vulnerability in Fortra’s GoAnywhere managed file transfer (MFT) software, which multiple confirmed victims—including Virgin Red—identified as the intrusion vector. Attackers exfiltrated files from organizations using vulnerable GoAnywhere instances, though Virgin Red clarified that no customer or employee personal data was exposed in their case. Cl0p historically ties ransom demands to victim revenue estimates, as seen with their $18 billion revenue claim against Virgin Group, though such figures often lack verification. The gang’s March 23 victim list expanded a global targeting pattern spanning aviation, education, energy, and municipal sectors, with prior victims including Shell, Stanford University, and Bombardier. Cl0p’s operations have reportedly accumulated approximately $500 million in ransom payments by November 2021, underscoring the group’s persistent threat profile despite intermittent law enforcement disruptions.