This article is more than 1 year old

Cuffed: Ukraine police collar six Clop ransomware gang suspects in joint raids with South Korean cops

Cobalt Strike and Flawedammyy RAT named as favoured tools

Ukrainian police have arrested six people, alleged to be members of the notorious Clop* ransomware gang, seizing cash, cars – and a number of Apple Mac laptops and desktops.

"It was established that six defendants carried out attacks of malicious software such as 'ransomware' on the servers of American and [South] Korean companies," alleged Ukraine's national police force in a statement published at lunchtime today.

Handout from Ukrainian Police boasting of seized cash from Clop ransomware gang

Ukrainian Police's stash of seized cash from Clop ransomware gang Pic via: Ukraine police

While the gang is notorious in the West for indiscriminately targeting well-off companies and extorting ransoms in exchange for decryption keys, its most shocking moment was when a poorly secured Accellion file transfer appliance gave the criminals access to defence contractor Bombardier. There the criminals were able to copy blueprints for an airborne early warning radar fitted to the company’s flagship AWACS-style military jet.

The six suspects were arrested in joint raids carried out with South Korean law enforcement authorities earlier today, cops in Ukraine said.

Back in December, Clop had targeted a South Korean retailer, E-Land, reportedly stealing two million credit card details over a 12-month period. Cops in South Korea apparently identified the Clop suspects soon after.

"Using remote access, the suspects activated malicious software 'Cobalt Strike', which provided information about the vulnerabilities of infected servers for further capture," continued the police statement, adding that the Clop gang had been seen deploying the Flawedammyy remote-access trojan after securing access to the victim's network.

John Hultquist, VP of Analysis, Mandiant Threat Intelligence, commented: "The Cl0p operation has been used to disrupt and extort organizations globally in a variety of sectors including telecommunications, pharmaceuticals, oil and gas, aerospace, and technology. The actor FIN11 has been strongly associated with this operation, which has included both ransomware and extortion, but it is unclear if the arrests included FIN11 actors or others who may also be associated with the operation.

"The arrests made by Ukraine are a reminder that the country is a strong partner for the US in the fight against cybercrime and authorities there are making the effort to deny criminals a safe harbor. This is especially relevant as President Biden and Putin discuss the state of cyberthreats emanating from Russia, including the ransomware threat, which has increasingly threatened critical infrastructure and the everyday lives of people around the world."

A video posted to YouTube by the police in Ukraine showed them seizing large amounts of cash, a white Tesla car, a black Mercedes and towing away other vehicles on trucks.

Youtube Video

In March, the Clop gang cheekily targeted infosec firm Qualys, dumping stolen data online in an apparent extortion attempt. Its steal-leak-ransom methodology was infamous; Trend Micro recently noted that out of the most notorious ransomware gangs (Conti, Doppelpaymer, Egregor, Clop and REvil), Clop led the way, with 5TB of stolen data published online in various places.

Among Clop's targets this year were various US institutions, with the Ukraine cops naming Stanford University Medical School, the University of Maryland and the University of California. One infosec source mused to The Register that while all three had fallen victim to attacks on outdated Accellion file-transfer appliances (a common attack vector in 2020/early 2021), so far ransomware attacks hadn't been publicly noted against those organisations.

F-Secure's Mikko Hypponen noted that despite the arrests, Clop's Tor blog – used for posting details of stolen files – was still online.

Usually when law enforcement scores a takedown of cyber crims, they also replace the targets' website with their own logos. The absence of a takedown page suggests Clop has active members who have control of the gang's web infrastructure.

"A criminal case under Part 2 of Art. 361 (Unauthorized interference in the work of computers, automated systems, computer networks or telecommunications networks) and Part 2 of Art. 209 (Legalization (laundering) of property obtained by criminal means) of the Criminal code of Ukraine. The defendants face up to eight years in prison. Investigative actions continue," concluded the Ukraine police statement. ®

* Also styled as Cl0p

More about


Send us news

Other stories you might like