HomesecurityUkraine arrests members of Clop ransomware gang

Ukraine arrests members of Clop ransomware gang

Ukrainian law enforcement has arrested cybercriminals linked to the Clop ransomware gang and shut down the infrastructure used in attacks targeting victims worldwide since at least 2019.

Clop ransomware

See also: Ransomware: Most companies get a second attack if they pay a ransom

According to the Cyberpolice Department of the National Police of Ukraine, the ransomware group is behind a total financial loss of about $ 500 million.

According to the press release of the Ukrainian police, it is not yet clear whether the arrested persons are associates or key members of the ransomware operation.

The cybercriminals were arrested following an international operation carried out in collaboration with law enforcement officers by the United States and the Republic of Korea.

See also: REVIL ransomware hits nuclear weapons company Sol Oriens

In addition to encrypting attacks, the Clop ransomware gang has been linked to the recent wave of Accellion data breaches that has led to a drastic increase in ransom means estimated for the first three months of 2021.

While victim's data is encrypted as part of regular ransomware attacks, Clop attacks did not encrypt a single byte, but instead exfiltrated large amounts of data from high-profile companies using Accellion's old file transfer tool (FTA).

The gang used the stolen data as leverage to blackmail the breached companies with high ransom demands.

Starting in January, BleepingComputer reported Clop attacks abusing Accellion for breaches:

  • Shell, Qyysecurity, Qualys,
  • Kroger,
  • the Bank of New Zealand,
  • Singtel,
  • the Australian Securities and Investment Commission (ASIC),
  • the Washington State Audit Office (“SAO”),
  • as well as many universities and other organizations.

The Clop gang also claimed to have stolen 2 million credit cards from Korean E-Land retailers using point-of-sale (POS) malware before developing ransomware on their network a year later, in November 2020.

See also: G7 to Russia: Deal with ransomware gangs in the country

Previously, Clop ransomware was behind attacks on the University of Maastricht, AG IT software, ExecuPharm and Indiabulls.

The Tor payment site and the Clop data leak site are still running, so it looks like the Clop ransomware feature is not completely shut down at this time.

Source of information:

Teo Ehc
Be the limited edition.