6 Clop ransomware operation suspects arrested in Ukraine

June 17, 2021

With the assistance and coordination of Interpol and law enforcement officers from the Republic of Korea and the United States, Ukrainian police have arrested six alleged members of the Clop ransomware gang.

The cybercriminal group is a high-profile ransomware family that has compromised industries globally. Unit 42 researchers, for instance, have observed an uptick in Clop ransomware activity affecting the wholesale and retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare and high tech industries in the U.S., Europe, Canada, Asia Pacific and Latin America.

Law enforcement officers conducted 21 searches in the capital and Kyiv region, in the homes of the defendants and in their cars, and confiscated computer equipment, cars and about 5 million hryvnias in cash. Ukrainian authorities also shut down the gang's infrastructure. John Bambenek, Threat Intelligence Advisor at Netenrich, a San Jose, Calif.-based Resolution Intelligence provider, says, "The only way to stop ransomware is to impose consequences on those who engage in and support such activity. These are real crimes and deserve real criminal consequences. Clop was a significant ransomware threat and that crew getting perp-walked is unambiguously good news."

According to Unit 42 researchers, Clop leverages double extortion practices and hosts a leak site, where the number of victims has grown significantly since its launch in March 2020. Clop has been commonly observed being delivered as the final-stage payload of a malicious spam campaign carried out by the financially motivated actor TA505. This ransomware has also been linked to threat actors behind the recent global zero-day attacks on users of the Accellion File Transfer Appliance (FTA) product.

According to the Cyberpolice Department of the National Police of Ukraine the ransomware group is behind total financial damages of roughly $500 million. The defendants face up to eight years in prison, and have been charged with various computer crimes.

Oliver Tavakoli, CTO at Vectra, a San Jose, Calif.-based AI cybersecurity company, says, "Law enforcement actions such as these are one of the key levers which can eventually shrink the ransomware ecosystem. When the likelihood of repercussions rise, less people will be drawn into the business of ransomware. When periodic disruptions occur in the supply chain of ransomware and sometimes ransoms are reclaimed (as the FBI recently did with some of the Colonial Pipeline ransom payments), the business of ransomware itself becomes less lucrative and less people are drawn into it. It will require concerted and prolonged pushes to bend this curve in a positive direction, but these efforts represent a credible start."

"While these arrests may make some ransomware operators think twice, it is unlikely that the threat of law enforcement action will be enough to halt them entirely. For many cybercriminals, the possibility of arrest is an accepted risk, and they will change tactics often to avoid detection. Therefore, in the short-term, it is unlikely that ransomware attacks will slow significantly," explains Kim Bromley, Senior Cyber Threat Intelligence Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions. "To capitalize on the momentum, law enforcement and governments should proactively publicize all action taken against ransomware. Every mention will remind ransomware operators that the pressure is on. Intelligence gathering is highly likely continuing in the background, but turning this into more arrests will be essential."

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.