Image: Cyberpolice Ukraine
Ukrainian police, together with Interpol and law enforcement agencies from South Korea and the United States, have arrested members of the notorious ransomware group known as Cl0p, according to a press release Ukrainian police.
On Wednesday, the Cyber Police Department of Ukraine’s National Police announced the arrests, referring to six defendants, and said it had carried out 21 searches of the homes of suspected hackers and their cars in and around Kiev. The cops said they confiscated 500 million Ukrainian hryvnias (around $ 180,000), computers and cars.
Police released a video of the busts, which shows local law enforcement officers, as well as Korean officers, entering suspects’ homes, searching their belongings and counting cash. The video also shows officers attempting to access devices using security equipment. Cellebrite, the Israeli digital forensics company.
It is not known how many people were arrested and whether the arrests affected the main developers and hackers behind the gang. As of Wednesday morning, the dark Cl0p website was still live.
Ukrainian cyber police said in an email to Motherboard that they had “identified six criminals”, but “cannot name the people involved and other details except those mentioned in our post, so as not to interfere with the investigation “.
Over the past few months, Cl0p has claimed dozens of victims, encrypting their files and demanding a ransom. Most recently, hackers attempted to extort their victims by threatening to publicly disclose their files on their dark website, which lists 57 companies on Wednesday.
These victims include: the oil giant Shell, security company Qualys, American bank Flag star, the controversial global law firm Jones Day, Stanford University, and University of california, among many others. Hackers were able to hack some of these victims by taking advantage of a loophole in Accellion File Transfer Appliance (FTA), a file sharing service used by about 300 companies around the world, according to Accellion.
Security researchers have followed Cl0p for years and described the gang as a “criminal enterprise” which is “ruthless”, “sophisticated and innovative”, “well organized and well structured” and “very active, almost tireless”.
When Motherboard introduced the group in April, some of the researchers who followed them for years predicted that the gang would not last long.
“It is only a matter of time before they make a mistake that will help[lawenforcementagenciesidentifytheirmembers”AntonisTerefosresearcheurSentinelOnequia[lawenforcementtoidentifyitsmembers”AntonisTerefosaresearcheratSentinelOnewhohas[lesforcesdel’ordreàidentifiersesmembres”AntonisTerefoschercheuràSentinelOnequia[lawenforcementtoidentifyitsmembers”AntonisTerefosaresearcheratSentinelOnewhohasstudied the group.
Researchers from Talon, a division of South Korean cybersecurity firm S2WLAB, which also tracks Cl0p, said that “if the criminals kept doing something, no matter how quiet they were, they would end up getting caught.”
“Recently there are tons of ransomware gangs and thief operators,” researchers said in an email to Motherboard. “We will continue to follow them and analyze the crime until they make decisive mistakes.”
Do you know the inner workings of Cl0p or another ransomware gang? We would love to hear from you. Using a non-professional phone or computer, you can securely contact Lorenzo Franceschi-Bicchierai on Signal at +1 917 257 1382, lorenzofb on Wickr, OTR chat at [email protected] , or by e-mail at [email protected]
Subscribe to our cybersecurity podcast, CYBER.