Clop Ransomware Gang Doxes Victims After Police Raids

Clop Ransomware Operation Resumes Activity

The Clop ransomware group, known for its malicious activities, appears to have resumed operations shortly after Ukrainian police apprehended six individuals allegedly associated with the gang.

Recent Law Enforcement Action

A collaborative law enforcement effort involving the National Police of Ukraine, alongside officials from South Korea and the United States, resulted in the arrest of several suspects linked to Clop. This operation marked a significant event, representing the first instance of a national law enforcement agency conducting mass arrests targeting a ransomware group.

Ukrainian authorities initially reported successfully dismantling the server infrastructure utilized by the criminal organization. However, this disruption doesn’t appear to have been entirely effective.

Evidence of Continued Operation

Following a period of inactivity coinciding with the arrests, Clop has now published a new set of stolen confidential data. This data, reportedly obtained from two new victims – a retailer specializing in farm equipment and an architectural firm – was discovered on the group’s dark web site by TechCrunch.

While neither of the potential victims have yet responded to inquiries from TechCrunch, the publication of this data suggests the ransomware group remains active despite the recent law enforcement intervention.

Limited Impact of Arrests

Experts believe the arrests primarily targeted individuals involved in the financial aspects of the Clop operation, specifically money laundering. Core members of the gang were reportedly not among those apprehended.

According to cybersecurity firm Intel 471, the impact on Clop is expected to be minimal. They suggest the group may even abandon the "Clop" brand, similar to what has occurred with other ransomware groups like DarkSide and Babuk.

International Cooperation and Future Outlook

Despite continuing operations, Clop’s future remains uncertain. Law enforcement agencies have achieved notable successes against ransomware groups this year, including the recovery of cryptocurrency paid to the Colonial Pipeline hackers.

Furthermore, Russia has recently announced its intention to collaborate with the U.S. in identifying and locating cybercriminals.

This shift in policy is significant, as Russia has historically adopted a non-interventionist stance regarding hackers operating within its borders.

Safe Harbor in Russia

Intel 471 posits that the key figures behind Clop likely reside in Russia, a country that has historically offered a degree of protection to cybercriminals by declining to take punitive measures.

Clop’s History and Notable Attacks

The Clop ransomware group first emerged in early 2019 and has since been implicated in several high-profile security breaches.

These incidents include the compromise of U.S. pharmaceutical company ExecuPharm in April 2020 and the recent data breach affecting Accellion. The Accellion breach involved exploiting vulnerabilities in the IT provider’s software, leading to data theft from numerous clients, including the University of Colorado and Qualys, a cloud security vendor.

The group’s continued activity highlights the ongoing challenges in combating cybercrime and the need for sustained international cooperation.