Several suspects suspected of being linked to the Clop ransomware gang have been arrested in Ukraine after a joint law enforcement operation in Ukraine, South Korea and the United States.
The Cyber Police Department of the Ukrainian National Police confirmed that six arrests were made after searches of 21 residences in the capital Kiev and neighboring regions. Although it is not clear whether the defendants are affiliates or main developers of the ransomware operation, they are accused of having set up a “double extortion” program, in which victims who refuse to pay the ransom are threatened with stolen data leakage from their networks before their files being encrypted.
“It has been established that six defendants carried out malware attacks such as ‘ransomware’ on the servers of American and [South] Korean companies, ”the Ukrainian national police said in a statement.
Police also seized material from the alleged Clop ransomware gang, which is believed to have caused total financial damage of around $ 500 million. This includes computer equipment, several cars, including a Tesla and a Mercedes, and 5 million Ukrainian hryvnia (around $ 185,000) in cash. Authorities also claim to have successfully shut down the server infrastructure used by gang members to launch previous attacks.
“Together, law enforcement has succeeded in shutting down the infrastructure from which the virus spreads and blocking channels to legalize criminally acquired cryptocurrencies,” the statement added.
These attacks began in February 2019, when the group attacked four Korean companies and encrypted 810 internal services and personal computers. Since then, Clop – often referred to as “Cl0p” – has been linked to a number of high-profile ransomware attacks. These include the breach of US pharmaceutical giant ExecuPharm in April 2020 and the attack on South Korean e-commerce giant E-Land in November that forced the retailer to close nearly half of its stores.
Clop is also linked to the ransomware attack and data breach at Accellion, which saw hackers exploit flaws in the IT vendor’s File Transfer Appliance (FTA) software to steal data from dozens of its customers. Victims of the breach include Singaporean telecom Singtel, law firm Jones Day, grocery chain Kroger and cybersecurity firm Qualys.
At the time of writing, the dark web portal that Clop uses to share stolen data is still operational, although it has not been updated for several weeks. However, law enforcement typically replaces the targets’ website with their own logo upon successful removal, suggesting that gang members may still be active.
“Operation Cl0p has been used to disrupt and extort organizations globally in a variety of industries including telecommunications, pharmaceuticals, oil and gas, aerospace and technology,” said John Hultquist, vice president of analysis in the Mandiant Threat Intelligence Unit. “The FIN11 actor was strongly associated with this operation, which included both ransomware and extortion, but it is not clear whether the arrests included FIN11 actors or others who may also be associated with the operation. “
Hultquist said Ukraine’s police efforts “serve as a reminder that the country is a strong partner for the United States in the fight against cybercrime and that authorities are working to deny criminals a safe haven.”
The alleged perpetrators face up to eight years in prison for unauthorized interference with the work of computers, automated systems, computer networks or telecommunications networks and for laundering property obtained by criminal means.
News of the arrests comes as international law enforcement escalates ransomware gangs. Last week, the US Department of Justice announced that it had seized most of the ransoms paid to DarkSide members by Colonial Pipeline.