Cyber Crime

Cl0p hacker operating from Russia-Ukraine war front line – exclusive

CyberNews researchers discovered that at least one of the Cl0p ransomware gang masterminds is still residing in Ukraine.

Original post at: https://cybernews.com/security/cl0p-hacker-hides-in-ukraine/

As the Cl0p ransomware gang continues to sow anxiety worldwide, affecting prominent companies like the BBC and Deutsche Bank, at least one of the gang masterminds, Cybernews discovered, is still residing in Ukraine.

Deutsche Bank, one of the world’s largest banks, is the latest victim of the Cl0p gang. The bank’s customer data was leaked after hackers penetrated a third-party vendor, Majorel, by exploiting the MOVEit vulnerability.

Other major banks in Europe, including Deutsche Bank-owned Postbank, ING Bank, and Comdirect, have also been affected.

Cl0p, which has a tendency to publicly name its victims in batches, has reportedly been sitting on the zero-day vulnerability for two years. As is quite common with malicious activity en masse, malicious hackers chose the Memorial Day weekend in the US (May 27th and 28th) for a “broad swath of activity.”

Before the MOVEit saga, which seems far from over, Cl0p enjoyed the spotlight by exploiting Fortra’s GoAnywhere vulnerability. ShellHitachiHatch BankRubrikVirgin, and many others are among its claimed victims.

Curiously, Shell has been affected by both the GoAnywhere and MOVEit flaws.

Cl0p, first observed in 2019, is quite old for a ransomware gang, given that they tend to regularly restructure and rebrand to throw law enforcement off track. The hacker group, also known by cyber pundits as Lace Tempest, Dungeon Spider, is affiliated with Russia.

In June 2021, Ukrainian law enforcement, in collaboration with US and South Korean officials, arrested six Cl0p members and dismantled the gang’s infrastructure. At the time, the group was accused of causing damage amounting to $500 million.

The arrests forced the gang to shut down its operations for a short period of three to four months in 2021-2022. Unfortunately, the gang has been steadily recovering. As a matter of fact, according to dark web intelligence platform, DarkFeed, Cl0p, with 361 victims and counting, is now among the three most active ransomware groups, leaving such infamous gangs like Revil and Vice Society far behind.

New evidence points to the fact that the Russia-affiliated gang still operates from Ukraine.

Cybernews has received a new batch of evidence that one of the Cl0p ransomware strain developers is at large in the city of Kramatorsk in Eastern Ukraine, on the front line of the Russia-Ukraine war.

A security researcher, who was vetted by Cybernews and asked not to be named in the article, looked up one of the Cl0p’s developers on the dark web, and contacted them via a well-known communication channel.

Because of a flaw in the platform – we’re choosing not to name it to avoid giving you any naughty ideas – our anonymous hacker was able to extract the Cl0p developer’s internet protocol (IP) address pointing us directly to their location in Kramatorsk.

Kramatorsk is a city in Eastern Europe that Russia has been trying to tear off Ukraine since the annexation of Crimea, a Ukrainian peninsula, in 2014. Just days before the NATO Summit in Lithuania, where Ukraine’s president Volodymyr Zelensky heard more promises of accelerating Ukraine’s admission to NATO, the Kremlin took a deadly strike on Kramatorsk, killing three children, among other people.

Original post at: https://cybernews.com/security/cl0p-hacker-hides-in-ukraine/

About the author: Jurgita Lapienytė, Chief Editor at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Cl0p ransomware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. Court rules against NSO Group in WhatsApp spyware Lawsuit

A U.S. court ruled in favor of WhatsApp against NSO Group, holding the spyware vendor…

6 minutes ago

Lazarus APT targeted employees at an unnamed nuclear-related organization

North Korea-linked Lazarus Group targeted employees of an unnamed nuclear-related organization in January 2024. Kaspersky…

6 hours ago

SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 25

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

23 hours ago

Security Affairs newsletter Round 503 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

24 hours ago

US charged Dual Russian and Israeli National as LockBit Ransomware developer

US authorities charged a dual Russian and Israeli national for being a developer of the…

1 day ago

BadBox rapidly grows, 190,000 Android devices infected

Experts uncovered a botnet of 190,000 Android devices infected by BadBox bot, primarily Yandex smart…

2 days ago

This website uses cookies.