Ukraine arrests Cl0p ransomware gang members, seizes servers

Ukrainian law enforcement arrested cybercriminals associated with the Clop ransomware gang and shut down infrastructure used in attacks targeting victims worldwide since at least 2019.

According to the Cyberpolice Department of the National Police of Ukraine the ransomware group is behind total financial damages of roughly $500 million.

"Together, law enforcement has managed to shut down the infrastructure from which the virus spreads and block channels for legalizing criminally acquired cryptocurrencies," Ukrainian authorities said.

"Law enforcement officers conducted 21 searches in the capital and Kyiv region, in the homes of the defendants, and in their cars."

"The defendants face up to eight years in prison. Investigative actions continue. Procedural guidance is provided by the Office of the Prosecutor General of Ukraine."

Based on Ukrainian police's press release, it is not yet clear if the arrested individuals are affiliates or core members of the ransomware operation.

The cybercriminals were arrested following an international operation in conjunction with law enforcement officers from the United States and the Republic of Korea.

In addition to encrypting attacks, the Clop ransomware gang was linked to the recent wave of Accellion data breaches which led to a drastic increase in average ransom payments calculated for the first three months of 2021.

While as part of regular ransomware attacks the victims' data is encrypted, Clop's attacks did not encrypt a single byte but instead exfiltrated large amounts of data from high-profile companies that used Accellion's legacy File Transfer Appliance (FTA).

The gang used the stolen data as leverage to extort the compromised companies with high ransom demands.

Previously, Clop ransomware was also behind attacks on Maastricht University, Software AG IT, ExecuPharm, Indiabulls, and E-Land, where they also claimed to have stolen 2 million credit cards.

Clop's Tor payment site and data leak site are still operational, so it looks like the Clop ransomware operation has not been completely shut down at this time.