Following a joint operation by law enforcement agencies from Ukraine, South Korea, and the United States, multiple persons alleged to be affiliated with the Clop ransomware gang have been arrested in Ukraine. Six arrests were made during searches at 21 locations in Kyiv and the surrounding regions, according to the National Police of Ukraine's Cyber Police Department.
While it's unclear if the defendants are ransomware affiliates or core developers, they're accused of a "double extortion" technique in which victims who fail to pay the ransom are threatened with the leak of data stolen from their networks before their files are encrypted. “It was established that six defendants carried out attacks of malicious software such as ‘ransomware’ on the servers of American and [South] Korean companies,” alleged Ukraine’s national police force in a statement.
The police also seized equipment from the alleged Clop ransomware gang, which is accused of causing $500 million in financial losses. This includes computer equipment, a Tesla and a Mercedes, as well as 5 million Ukrainian Hryvnia (about $185,000) in cash.
Authorities also claim to have successfully shut down the server infrastructure used by gang members to launch prior operations. “Together, law enforcement has managed to shut down the infrastructure from which the virus spreads and block channels for legalizing criminally acquired cryptocurrencies,” the statement added.
“The Cl0p operation has been used to disrupt and extort organizations globally in a variety of sectors including telecommunications, pharmaceuticals, oil and gas, aerospace, and technology,” said John Hultquist, vice president of analysis at Mandiant’s threat intelligence unit.
In February 2019, the gang launched an attack on four Korean organizations, encrypting 810 internal services and personal PCs. Clop has since been connected to a slew of high-profile ransomware attacks. These include the attack on ExecuPharm, a US pharmaceutical company, in April 2020, and the attack on E-Land, a South Korean e-commerce company, in November, which prompted the retailer to close over half of its outlets.
Clop is also related to the Accellion ransomware attack and data theft, in which hackers exploited flaws in the IT firm's File Transfer Appliance (FTA) software to steal data from dozens of its clients. Singaporean telecom Singtel, law firm Jones Day, supermarket retail chain Kroger, and cybersecurity firm Qualys are among the victims of this breach.
