Ukrainian law enforcers have arrested individuals associated with the Clop ransomware gang. They shut down the group’s infrastructure used in attacks against victims worldwide. The international operation has been conducted jointly with law enforcement agencies from the United States and South Korea.
The National Police of Ukraine’s Cyberpolice Department said that the ransomware group caused financial damages amounting to around $500 million.
Law enforcers in Ukraine have shut down the networks used by criminals to spread and illegally acquire cryptocurrencies:
“Together, law enforcement has managed to shut down the infrastructure from which the virus spreads and block channels for legalizing criminally acquired cryptocurrencies,” Ukrainian authorities said.
Law enforcers carried out 21 searches in the capital and the Kyiv region. They searched homes and cars of defendants and seized criminals’ servers, cash, and other property.
The defendants can face up to eight years in prison. Follow-up investigations are ongoing.
Based on Ukraine’s police press release, it’s not clear if the arrested individuals were affiliates or core members of the ransomware operation.
Cybersecurity company Intel 471 believes that the majority of the individuals arrested in Ukraine were involved in the laundering of money for the gang and were not core members, as the gang’s leadership is likely in Russia.
“The law enforcement raids in Ukraine associated with CLOP ransomware were limited to the cash-out/money laundering side of CLOP’s business only,” Intel 471 said. “The overall impact to CLOP is expected to be minor although this law enforcement attention may result in the CLOP brand getting abandoned as we’ve recently seen with other ransomware groups like DarkSide and Babuk.”
The Clop ransomware gang was responsible for many of the Accellion attacks that occurred during the first three months of 2021.
Starting with January, Clop attacks abusing Accellion flaws were targeted at the following victims: energy giant Shell, cybersecurity firm Qualys, supermarket giant Kroger, the Reserve Bank of New Zealand, Singtel, the Australian Securities and Investments Commission (ASIC), the Office of the Washington State Auditor (“SAO”), as well as multiple universities and other organizations.
Besides that, Clop has stolen 2 million credit cards from Korean retailer E-Land’s servers and deployed ransomware on their network in November 2020. Other victims included Maastricht University, Software AG IT, ExecuPharm, and Indiabulls.
Clop ransomware operation has not been completely shut down, and its Tor payment site and data leak site are still operational.
Image: National Police of Ukraine’s Cyberpolice Department