Clop Ransomware Gang Suspects Arrested

Clop Ransomware Gang Suspects Detained in International Operation

Law enforcement collaboration between Ukraine, South Korea, and the United States has resulted in the apprehension of several individuals suspected of affiliation with the Clop ransomware group.

Arrests and Accusations

Ukraine’s Cyber Police Department confirmed the arrest of six individuals following searches conducted across 21 locations in Kyiv and surrounding areas. The defendants are alleged to have engaged in a “double extortion” tactic.

This scheme involves threatening victims with data leaks if ransom demands are not met, in addition to encrypting their files. Investigations are ongoing to determine if those arrested are core developers or affiliates of the Clop operation.

Financial Impact and Seized Assets

Ukrainian authorities state that the accused carried out attacks targeting companies based in the United States and South Korea. The total financial damage attributed to the alleged Clop ransomware activity is estimated at approximately $500 million.

During the operation, law enforcement officials seized a variety of assets, including computer equipment, multiple vehicles – a Tesla and a Mercedes among them – and 5 million Ukrainian Hryvnia, equivalent to around $185,000 in cash.

Infrastructure Disruption

Authorities also report the successful dismantling of server infrastructure utilized by the group to launch prior attacks. This action aimed to disrupt the spread of the malicious software.

Furthermore, channels used to legitimize illegally obtained cryptocurrencies were reportedly blocked as part of the operation. This is intended to hinder the financial gains of the cybercriminals.

History of Clop Attacks

The group’s malicious activities were first detected in February 2019, with attacks against four Korean firms resulting in the encryption of over 800 systems. Since then, Clop, sometimes referred to as “Cl0p,” has been implicated in numerous high-profile incidents.

These include the 2020 breach of U.S. pharmaceutical company ExecuPharm and the 2021 attack on South Korean retailer E-Land, which led to the temporary closure of nearly half of its stores.

Accellion Breach and Wider Impact

Clop is also connected to the significant data breach at Accellion, exploiting vulnerabilities in their File Transfer Appliance (FTA) software. This resulted in data theft from numerous Accellion customers.

Victims of the Accellion breach included Singtel, a Singaporean telecom provider, the law firm Jones Day, the Kroger grocery chain, and cybersecurity company Qualys.

Current Status and Ongoing Investigation

As of the current time, the dark web portal used by Clop to publish stolen data remains online, though it hasn’t been updated recently. A typical takedown involves replacing the site with law enforcement branding.

This suggests that some members of the group may still be operational. The investigation is ongoing to fully assess the extent of the disruption.

Expert Analysis

John Hultquist, vice president of analysis at Mandiant’s threat intelligence unit, stated that the Clop operation has targeted organizations across diverse sectors, including telecommunications, pharmaceuticals, energy, aerospace, and technology.

He also noted the strong association between the operation and the threat actor known as FIN11, while acknowledging uncertainty regarding whether the arrests included FIN11 members or other associates.

Ukraine’s Role in Cybercrime Fight

Hultquist emphasized that the actions of the Ukrainian police demonstrate the country’s commitment as a partner to the U.S. in combating cybercrime and denying criminals a safe haven.

Potential Penalties

The individuals arrested face potential prison sentences of up to eight years if convicted on charges related to unauthorized interference with computer systems and laundering of illegally obtained funds.

Increased Law Enforcement Pressure

These arrests occur amidst a broader trend of heightened international law enforcement efforts targeting ransomware groups. Recently, the U.S. Department of Justice announced the seizure of a significant portion of the ransom paid to the DarkSide group by Colonial Pipeline.