Skip to content

Search the site

Ukrainian, Korean, law enforcement take down Clop ransomware gang

Ukrainian, South Korean, and US law enforcement authorities have arrested the cybercriminals behind the Clop ransomware attacks on the University of California and scores of other US and South Korean companies, Ukraine's National Police force said June 16.

Using the Clop ransomware, the attackers caused $500 million in damages before their arrests, a Ukrainian police report claimed. (The University of California alone admitted to paying a $1 million ransom).

A multi-national force led by Ukraine's national police agency made 21 searches "in the capital and Kyiv region, in the homes of the defendants and in their cars", confiscating computer equipment, cars, and some five million hryvnias (£130,000) in cash, arresting six people.

See also: These North Korean hackers are the “world’s leading bank robbers”, stealing $1.3b.

That's according to a Ukrainian language police report published today, which says the six defendants arrested also successfully attacked the Stanford University Medical School, the University of Maryland, and at least four South Korean companies. They used phishing campaigns to access networks and Cobalt Strike as a second-stage payload.

Palo Alto Networks says Clop has been "commonly observed being delivered as the final-stage payload of a malicious spam campaign carried out by the financially motivated actor TA505. This ransomware has also been linked to threat actors behind the recent global zero-day attacks on users of the Accellion File Transfer Appliance (FTA) product."

CL0P ransomware take down
South Korea's national police agency was involved in the raids.

While it ransomware attacks can be hard to attribute owning to the widespread use of the Ransomware-as-a-Service model -- and it difficult to determine as a result the extent to which a given cybercrime group is responsible for creation and distribution of the malware, alongside its use in targeted attacks -- the arrests seem significant, with the Ukrainian police report dubbing the attackers an "APT threat".

The unnamed six defendents face up to eight years in prison if convicted.

The arrests come amid a growing sense that ransomware providers are in the cross-hairs of powerful law enforcement authorities increasingly empowered to treat them as a legitimate threat to security rather than a mere gadfly for enterprises to deal with. They come days after the FBI seized Bitcoin from the wallets of cybercriminals responsible for the Colonial Pipeline attack in May.

The US's Department of Justice in April launched a multi-agency “Ransomware and Digital Extortion Task Force“, and a June 3 memorandum suggests the DarkSide Bitcoin seizure may be just its first crack of the whip. As the DoJ’s Deputy Attorney General notes in it: “A central goal of the recently launched task force is ensure that we bring to bear the full authorities and resources of the Department in confronting the many dimensions and root causes of this threat”.

With ransomware developers increasingly making the malware available under an as-a-service basis, it remains to be seen whether such raids represent a genuine tightening of the net, or just a plucking of the low-hanging fruit -- those with poor OpSec -- of the cybercrime world.

See also: C2 channels are getting esoteric. Defenders: look out for abuse of the Slack API and the C3 framework...