An international joint operation resulted in the arrest of Clop ransomware members

Ukraine police arrested multiple individuals that are believed to be linked to the Clop ransomware gang as part of an international joint operation.

Ukraine police arrested multiple individuals that are believed to be linked to the Clop ransomware gang as part of an international operation conducted by law enforcement from Ukraine, South Korea, and the US.

At the time of this writing, the Ukrainian authorities did not disclose the number of Clop ransomware operators that have been arrested.

The law enforcement agencies from the involved countries shut down infrastructure used by the ransomware gang in its operations, the police also conducted searches at 21 houses in Kyiv.

“The hacker group was exposed by officers of the Cyber ​​Police Department together with the Main Investigation Department of the National Police. The perpetrators were exposed as part of an international operation to promote and coordinate Interpol (IGCI) and in collaboration with law enforcement officials from the Republic of Korea and the United States.” reported Ukraine’s Cyber Police division, “The perpetrators were exposed as part of an international operation, It was established that six defendants carried out attacks of malicious software such as “Ransomware” on the servers of American and Korean companies.”

The police also seized computers, smartphones, and server equipment were seized, 5 million Ukrainian hryvnias (+$180K) in cash, and several cars, including Tesla, Mercedes, and Lexus models.

Clop ransomware gang has been active since February 2019, it targeted many organizations and universities over the years. Like other ransomware gangs, Clop operators implemented a double-extortion model leaking on their leak sites the data stolen from the victims that refused to pay the ransom.

In February 2021, FireEye researchers reported the collaboration between the Clop gang and the FIN11 cybercrime group. The security firm discovered that the FIN11 hackers were publishing data from Accellion FTA customers on the Clop ransomware leak site.

According to the Ukraine police, in 2019 the Clop ransomware gang infected the systems of four South Korean companies asking for large ransoms, the malware has infected 810 internal servers and personal computers of employees blocking the operations of the victims. 

“Hackers sent e-mails with a malicious file to the mailboxes of company employees. After opening the infected file, the program sequentially downloaded additional programs from the distribution server and completely infected the victims’ computers with a remote managed program “Flawed Ammyy RAT“. continues the police.

“Using remote access, the suspects activated malicious software “Cobalt Strike”, which provided information about the vulnerabilities of infected servers for further capture. The attackers received a “ransom” in cryptocurrency for decrypting the information.”

According to the police, the total damage caused by the reaches $ 500 million. 

The arrested members of the ransomware gang risk up to eight years in prison.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]