Federal police in Ukraine have arrested several people who allegedly operated the Cl0p ransomware, which has been responsible for some of the larger ransomware infections of the last few years in the United States and other countries.
The Cl0p ransomware is tightly coupled with TA505, a cybercrime group that’s known for gaining initial access to large corporate networks and then selling that access to third parties for further exploitation. The Cl0p operators are among the subset of ransomware groups that not only demand a ransom for decrypting compromised machines, but also steal sensitive data and extort an additional payment in return for not publicly leaking the information.
On Tuesday, Ukrainian police announced that they had conducted 21 separate searches, arrested six people, and seized cash, cars, computers, and other devices as part of a cooperative operation with authorities in the U.S. and South Korea. They said the group was responsible for about $500 million in losses.
“It was established that six defendants carried out attacks of malicious software such as ‘Ransomware’ on the servers of American and Korean companies. For deciphering the data, they demanded a ‘ransom’, and in case of non-payment, they threatened to disclose the confidential data of the victims,” Ukraine’s Cyberolice Department said in a statement.
The Cl0p operators have targeted a wide range of companies, including technology providers, aviation companies, and others. Like some other ransomware operators, the Cl0p group runs a site that lists its current victims and portions of stolen data as a form of leverage to incentivize victims to pay.
“CL0P maintains two online presences to support its Big Game Hunting operations. The first presence is their leak portal called ‘CL0P^-LEAKS’. Its purpose is to frighten future victims by hosting sensitive data of past victims that didn’t pay the ransom. The second presence is their negotiation portal. This serves as a “customer support” for victims that are willing to come to an agreement and pay the ransom,” Thomas Barabosch, a senior cyber security analyst at Deutsche Telekom, wrote in an analysis of the group’s activities in January.
“CL0P is one of the ransomware gangs that adopted the double extortion technique."
“CL0P is one of the ransomware gangs that adopted the double extortion technique. Before they deploy their ransomware, they exfiltrate up to terabytes of sensitive data from the victim’s network. In case the victim had proper backups setup and is not willing to pay the ransom, they still can threaten to publish this data on their leak portal ‘CL0P^-LEAKS’.”
The Ukrainian police said the Cl0p operators had targeted companies in South Korea, as well as Stanford University, the University of Maryland, and the University of California.
“In 2019, four Korean companies attacked by the Clop encryption virus, as a result of which 810 internal servers and personal computers of employees were blocked. Hackers sent e-mails with a malicious file to the mailboxes of company employees. After opening the infected file, the program sequentially downloaded additional programs from the distribution server and completely infected the victims' computers with a remote managed program Flawed Ammyy RAT,” the police statement said.
“Using remote access, the suspects activated malicious software Cobalt Strike, which provided information about the vulnerabilities of infected servers for further capture.”
The Cl0p arrests come during a period of intense scrutiny of ransomware groups by law enforcement agencies in the U.S. and other countries, following several high-profile intrusions, including the Colonial Pipeline and JBS USA attacks. Congress has held a number of hearings on ransomware activity recently, and the FBI has recently sharpened its focus on operators, including an operation that recovered $2.3 million of the ransom paid by Colonial Pipeline Co. to the DarkSide ransomware actors.