Ukrainian law enforcement officials on Wednesday announced the arrest of the Clop ransomware gang, adding it disrupted the infrastructure employed in attacks targeting victims worldwide since at least 2019.
As part of an international operation between the National Police of Ukraine and authorities from Interpol, Korea, and the U.S., six defendants have been accused of running a double extortion scheme wherein victims refusing to pay a ransom were threatened with the leak of sensitive financial, customer, or personal data stolen from them prior to encrypting the files.
The ransomware attacks amount to $500 million in monetary damages, the National Police said, noting that "law enforcement has managed to shut down the infrastructure from which the virus spreads and block channels for legalizing criminally acquired cryptocurrencies."
Police officials are said to have conducted 21 searches in the Ukrainian capital of Kyiv, including the homes of the defendants, resulting in the seizure of computer equipment, luxury cars, and 5 million hryvnias ($184,679) in cash.
The alleged perpetrators face up to eight years in prison on charges of unauthorized interference in the work of computers, automated systems, computer networks or telecommunications networks. It's, however, not clear if the arrested individuals are affiliates or core developers of the ransomware operation.
As of writing, the dark web portal that Clop uses to share stolen data — dubbed CL0P^-LEAKS — is still up and running, implying the complete infrastructure may not have been taken down.
Since emerging on the scene in 2019, the Clop threat actor has been linked to a number of high-profile attacks as that of E-Land, Accellion, Qualys, Software AG IT, ExecuPharm, Indiabulls, as well as a number of universities like Maastricht University, Stanford University Medical School, University of Maryland, and University of California.
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
The development comes as another ransomware group by the name of Avaddon shuttered operations and handed over the decryption keys associated with 2,934 victims to Bleeping Computer last week, likely in response to heightened scrutiny by law enforcement and governments worldwide after a spate of attacks against critical infrastructure.
The Clop arrests add to a string of operations undertaken by government agencies in recent months to take down criminal activities in the cyberspace, including that of TrickBot, Emotet, ANoM, and Slilpp. Earlier this February, a joint probe involving French and Ukrainian authorities dismantled the cartel associated with Egregor ransomware.