Cyber Crime

Cl0p hacker operating from Russia-Ukraine war front line – exclusive

CyberNews researchers discovered that at least one of the Cl0p ransomware gang masterminds is still residing in Ukraine.

Original post at: https://cybernews.com/security/cl0p-hacker-hides-in-ukraine/

As the Cl0p ransomware gang continues to sow anxiety worldwide, affecting prominent companies like the BBC and Deutsche Bank, at least one of the gang masterminds, Cybernews discovered, is still residing in Ukraine.

Deutsche Bank, one of the world’s largest banks, is the latest victim of the Cl0p gang. The bank’s customer data was leaked after hackers penetrated a third-party vendor, Majorel, by exploiting the MOVEit vulnerability.

Other major banks in Europe, including Deutsche Bank-owned Postbank, ING Bank, and Comdirect, have also been affected.

Cl0p, which has a tendency to publicly name its victims in batches, has reportedly been sitting on the zero-day vulnerability for two years. As is quite common with malicious activity en masse, malicious hackers chose the Memorial Day weekend in the US (May 27th and 28th) for a “broad swath of activity.”

Before the MOVEit saga, which seems far from over, Cl0p enjoyed the spotlight by exploiting Fortra’s GoAnywhere vulnerability. ShellHitachiHatch BankRubrikVirgin, and many others are among its claimed victims.

Curiously, Shell has been affected by both the GoAnywhere and MOVEit flaws.

Cl0p, first observed in 2019, is quite old for a ransomware gang, given that they tend to regularly restructure and rebrand to throw law enforcement off track. The hacker group, also known by cyber pundits as Lace Tempest, Dungeon Spider, is affiliated with Russia.

In June 2021, Ukrainian law enforcement, in collaboration with US and South Korean officials, arrested six Cl0p members and dismantled the gang’s infrastructure. At the time, the group was accused of causing damage amounting to $500 million.

The arrests forced the gang to shut down its operations for a short period of three to four months in 2021-2022. Unfortunately, the gang has been steadily recovering. As a matter of fact, according to dark web intelligence platform, DarkFeed, Cl0p, with 361 victims and counting, is now among the three most active ransomware groups, leaving such infamous gangs like Revil and Vice Society far behind.

New evidence points to the fact that the Russia-affiliated gang still operates from Ukraine.

Cybernews has received a new batch of evidence that one of the Cl0p ransomware strain developers is at large in the city of Kramatorsk in Eastern Ukraine, on the front line of the Russia-Ukraine war.

A security researcher, who was vetted by Cybernews and asked not to be named in the article, looked up one of the Cl0p’s developers on the dark web, and contacted them via a well-known communication channel.

Because of a flaw in the platform – we’re choosing not to name it to avoid giving you any naughty ideas – our anonymous hacker was able to extract the Cl0p developer’s internet protocol (IP) address pointing us directly to their location in Kramatorsk.

Kramatorsk is a city in Eastern Europe that Russia has been trying to tear off Ukraine since the annexation of Crimea, a Ukrainian peninsula, in 2014. Just days before the NATO Summit in Lithuania, where Ukraine’s president Volodymyr Zelensky heard more promises of accelerating Ukraine’s admission to NATO, the Kremlin took a deadly strike on Kramatorsk, killing three children, among other people.

Original post at: https://cybernews.com/security/cl0p-hacker-hides-in-ukraine/

About the author: Jurgita Lapienytė, Chief Editor at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Cl0p ransomware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

US and allied Governments’ Recommendations: Securing Network Devices Against Russian APT Groups

US and allies warn of Russian APT groups targeting routers and network devices to compromise…

4 hours ago

Chaotic Eclipse Unveils LegacyHive Exploit Affecting Fully Patched Windows Systems

LegacyHive PoC exposes a Windows Privilege Escalation flaw affecting fully patched Windows desktop and server…

6 hours ago

AsyncAPI npm Supply Chain Attack: Malware Injected Into Packages With 2 Million Weekly Downloads

AsyncAPI npm packages with 2M weekly downloads were compromised, spreading malware with info-stealing, crypto-theft and…

11 hours ago

U.S. CISA adds SonicWall and Microsoft flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds SonicWall and Microsoft flaws to its Known…

12 hours ago

SonicWall warns of active exploitation of two SMA 1000 zero-days

SonicWall warns of active attacks exploiting two SMA 1000 zero-days, including a flaw enabling arbitrary…

15 hours ago

Patch Tuesday security updates for July 2026, the largest update ever. 621 CVEs in one month

Patch Tuesday: Microsoft fixes a record 621 CVEs, including 2 exploited zero-days and critical flaws…

1 day ago

This website uses cookies.