Cybersecurity firms provide threat intel for Clop ransomware group arrests

The crackdown was codenamed Operation Cyclone.
Written by Charlie Osborne, Contributing Writer

Further details have been revealed concerning a 30-month investigation designed to disrupt the operations of the Clop ransomware group. 

In June, Ukrainian police arrested six suspects in 20 raids across Kyiv and other towns, seizing computers, technology, cars, and roughly $185,000. 

The Ukrainian National Police worked with law enforcement in South Korea on the raid, now known as Operation Cyclone

Interpol, an inter-governmental organization focused on facilitating coordinated activities between police agencies worldwide, said last week that Interpol's Cyber Fusion Centre managed the operation in Singapore.

Trend Micro, CDI, Kaspersky Lab, Palo Alto Networks, Fortinet, and Group-IB contributed threat intelligence through the Interpol Gateway project, together with police from Ukraine, South Korea, and the United States. 

South Korean firms S2W LAB and KFSI also contributed Dark Web activity analysis. 

South Korea was particularly interested in the arrests due to Clop's reported involvement in a ransomware attack against E-Land. The ransomware's operators told Bleeping Computer that point-of-sale (PoS) malware was implanted on the Korean retail giant's systems for roughly a year, leading to the theft of millions of credit cards. 

Clop is one of many ransomware gangs that operate leak sites on the Dark Web. The groups will claim responsibility for a ransomware attack and will use these platforms for dual purposes: to facilitate communication with a victim to negotiate a blackmail payment in return for a decryption key -- as well as to conduct further extortion by threatening to leak stolen, sensitive data on the portal if they do not pay up. 

Clop has previously exploited zero-day vulnerabilities in the Accellion File Transfer Appliance (FTA) software, alongside other attack vectors, to claim high-profile victims, including The Reserve Bank of New Zealand, Washington State Auditor, Qualys, and Stanford Medical School. 

The six suspects are also accused of money laundering, as Clop overall is believed to have laundered at least $500 million obtained from ransomware activities. If convicted as part of the notorious group, the defendants face up to eight years behind bars. 

"Despite spiraling global ransomware attacks, this police-private sector coalition saw one of global law enforcement's first online criminal gang arrests, which sends a powerful message to ransomware criminals, that no matter where they hide in cyberspace, we will pursue them relentlessly," commented Craig Jones, Interpol's Director of Cybercrime.

However, it should be noted that the six arrests in Ukraine have not stopped the Clop ransomware group's activities or disrupted its leak site. It is believed the main operators of the ransomware are based in Russia. 

Interpol added that Operation Cyclone "continues to supply evidence that is feeding into further cybercrime investigations and enabling the international police community to disrupt numerous channels used by cybercriminals to launder cryptocurrency."

In recent ransomware news, the US State Department has offered a bounty worth $10 million for information "leading to the identification or location of any individuals holding key leadership positions" in the DarkSide ransomware group. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards