Ukrainian police partner with US, South Korea for raid on Clop ransomware members

Police in Ukraine raided 21 buildings and homes near Kyiv that they said were connected to the Clop ransomware group.
Written by Jonathan Greig, Contributor

The Ukrainian National Police announced a series of raids on Wednesday that ended with the arrest of six people allegedly part of the group behind the Clop ransomware. 

The group is responsible for some of the most headline-grabbing ransomware attacks seen over the last two years. Hundreds of victims range from Shell and Kroger to Stanford University, the University of Maryland, and the University of Colorado. Ukrainian police said the total damage done by their attacks amounts to an estimated $500 million.

The Cyberpolice Department of the Ukrainian National Police released a lengthy report Wednesday morning on the raids that included photos and video. Working with South Korean police officers, members of Interpol and unnamed US agencies, officers in Ukraine raided 21 different residences in Kyiv and nearby towns.

During the raid, dozens of computers and expensive cars were seized in addition to about $185,000. The report said server infrastructure was taken down, and the homes were seized. The six people arrested are facing up to eight years in prison for a variety of crimes related to the group's ransomware attacks and the laundering of money brought in from ransoms. 

Ukrainian National Police

The Ukrainian National Police noted that South Korean officials were particularly interested in the raid because of ransomware attacks launched by Clop against four South Korean companies in 2019. More than 800 internal servers and computers from the companies were infected in the attacks.

The group also attacked South Korean e-commerce giant E-Land in November, crippling the company for days. Clop members became well-known for attacking companies using old versions of the Accellion FTA file-sharing server like Bombardier

The Reserve Bank of New Zealand, Washington State Auditor, and cybersecurity firm Qualys are just a few of the victims attacked by Clop members through the Accellion vulnerability.

Kim Bromley, the senior cyber threat intelligence analyst at Digital Shadows, said the Clop ransomware has been active since February 2019 and generally targets large organizations. 

"Despite partaking in the ever-popular double-extortion tactic, Clop's reported activity level is relatively low when compared with the likes of 'REvil' (aka Sodinokibi) or 'Conti'," Bromley explained.

In spite of the press around the raid, many online noted that the leak site used by Clop members is still up. A source from cybersecurity company Intel 471 threw cold water on the excitement around the raid in an interview with Bleeping Computer. They told the news outlet that they do not think any of the major players behind Clop were arrested in the raid because they live in Russia. They added that the people arrested were mostly involved in the money laundering part of the ransomware operation.  

Clop rose to prominence in 2020 after they demanded a ransom of more than $20 million from Software AG, one of the largest software companies in the world. Multiple cybersecurity companies have reported that Clop has ties to a malware distribution group named TA505 and a cybercrime group known as FIN11.

Ransomware groups are facing increased scrutiny from law enforcement globally as hundreds of organizations continue to deal with the crippling aftereffects of attacks. 

Bromley noted that last week, the Avaddon ransomware shut down its operations. The Ziggy ransomware did the same earlier this year, signaling that the increasing law enforcement pressure was having an effect. 

"Arrests and operations targeting ransomware infrastructure must continue in the short term in order to maintain pressure on ransomware operators," Bromley added.  

Vectra CTO Oliver Tavakoli said raids like this are one of the key levers that can be used to shrink the lucrative ransomware ecosystem. 

"When the likelihood of repercussions rise, less people will be drawn into the business of ransomware," Tavakoli said. "When periodic disruptions occur in the supply chain of ransomware, and sometimes ransoms are reclaimed (as the FBI recently did with some of the Colonial Pipeline ransom payments), the business of ransomware itself becomes less lucrative and less people are drawn into it."

Other experts noted the timing of the raid, which came on the same day as the summit between US President Joe Biden and Russian President Vladimir Putin. Ransomware was a significant topic of discussion, Biden said after the meeting

"This is a bold move, especially given Ukraine's tensions with Russia. It would be better to see comprehensive global law enforcement efforts take hold," said Hitesh Sheth, CEO at Vectra. "Cybersecurity has displaced nuclear arms as the premier superpower security issue of our era. We can hope the Biden-Putin summit leads to cooperation and structural progress in this area."

Editorial standards