Ransomware, Threat Management

With Cl0p crackdown and REvil arrests, what effect do police have on ransomware?

Romanian police announced the arrest of members of the REvil ransomware group on Nov. 8. Pictured: The Romanian flag flies Feb. 7, 2017, during an armed forces ceremony at Fort Meyer, Va., Feb. 7, 2017. (Pfc. Gabriel Silva/US Army)

On Friday, Interpol announced two Red Notices to member nations to arrest members of the Cl0p ransomware group. Three days later, Romanian police announced the arrest of affiliates of the REvil ransomware group. The two operations highlight a few promising patterns in ransomware law enforcement.

The two Red Notices follow six arrests in Ukraine of Cl0p leadership in June, the first fruits of Interpol's now 30-month "Operation Cyclone" targeting the group. Cl0p is most famous for its use for a spree of breaches of Accellion customers, including the security company Qualys.

Up until the arrests, Allan Liska, a ransomware expert at Recorded Future, said Cl0p's leaks page posted around 15 sets of leaks a month. Since the arrests, that number has dropped to around eight.

That doesn't mean that Cl0p affiliates got out of the ransomware game; likely, it's more indicative of affiliates using Cl0p less and other ransomware services more.

"They may see Cl0p as tainted," said Liska. "In underground forums, affiliates shared news stories about the arrests. When bigger groups have problems, like REvil and BlackMatter, we'll see other groups like Conti or LockBit come in to say, 'Hey, why don't you switch to us?"

While ransomware investigations have traditionally been one-off enforcement actions — a single set of arrests and then on to the next thing — Liska said the 30-month investigation was indicative of a newer era of continuous investigations that aren't quick to close up shop.

Operation Cyclone, based in Interpol's South Korean headquarters, was boosted by international private sector partners Trend Micro, CDI, Kaspersky Lab, Palo Alto Networks, Fortinet and Group-IB, as well as Korean firms S2W LAB and KFSI.

While the Cl0p arrest focused on the supplier of the ransomware used in the attacks, the mobility of affiliate groups to switch from Cl0p to Conti on a whim shows the need for law enforcement to simultaneously focus on the downstream players.

"I mean, yes, you need to take down the big groups — cut the head of the snake — but you also need to take care of all the feeders and make sure that the affiliates know that it's going to cost them, too," said Liska.

That is exactly what happened in the REvil case. Romanian authorities announced Monday the arrests of two members of REvil affiliates Thursday of last week, which led to five more arrests by United States, South Korean and Kuawaiti police.

Those arrests were conducted with the support of Australia, Belgium, Canada, France, Germany, the Netherlands, Luxembourg, Norway, the Philippines, Poland, Romania, South Korea, Sweden, Switzerland, Kuwait, the United Kingdom, the United States of America, Europol and Interpol, according to the Romanian announcement.

The affiliates had been using REvil since its previous incarnation, GandCrab.

Also on Monday, the U.S. Justice Department announced recent actions were taken against two foreign nationals charged with deploying Sodinokibi/REvil ransomware to attack businesses and government entities in the United States, including a Ukrainian national who was charged in the July 2021 Kaseya attack. A Russian national was also charged with using REvil ransomware in attacks in Texas on or about Aug. 16, 2019.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.