Law enforcement officials in Ukraine, working with U.S. and Korean authorities, arrested six individuals alleged to be part of the Cl0p ransomware gang that counted U.S. universities among its targets.
The individuals and group are being charged for taking part in a 2019 ransomware attack on four Korean companies that infected more than 800 computers and servers, as well as more recent infections of Stanford University Medical Center, the University of Maryland and University of California in 2021. Ukrainian authorities pegged the total cost of damages from the attacks at $500 million and the defendants are facing charges that could result in up to 8 years in prison.
A five-minute video uploaded to YouTube June 16 by Ukrainian police shows law enforcement raids on suspects’ homes, using electric saws and battering rams to knock down doors, seizing phones and cars, and pulling hard currency and other evidence from safes. According to a translated announcement, a total of 5 million Ukrainian hrvvnias – or approximately $185,000 – was seized.
Authorities said the attack started with a successful email phish that allowed the actors to deploy the “FlawedAmmyy” Remote Access Trojan that exploits weaknesses in the source code of popular remote tool Ammy Admin. Upon gaining access, they used Cobalt Strike to scour the victim network for other vulnerabilities, encrypted the companies’ data and forced payment of an undisclosed ransom.
According to Palo Alto Networks’ Unit 42, Cl0p has been around since at least February 2019, starting out with indiscriminate spam email campaigns before evolving into a big game ransomware hunter targeting specific businesses.
One of the group’s most notable incidents took place earlier this year when they attempted to extort major companies like Shell, Qualys, Jones Day, Flagstar and others who utilized the Accellion file transfer system. Ransomware analysts say it’s still not clear whether ClOp operators were behind the compromise or acquired the data from another third party.
The raid on Cl0p is the latest in a series of law enforcement and policy actions taken by governments to crack down on ransomware, which has ballooned from a lucrative financial crime to a national security threat as major oil and gas pipeline operators, meat distributors and national healthcare systems have been ground to a halt following infection.
It comes the same day that U.S. President Joe Biden and Russian President Vladimir Putin are set to meet in a high profile diplomatic encounter where the threat of ransomware – and the Russian government’s indifference or tacit acceptance to the cybercrime industry growing and operating within its borders – is expected to be a major topic of discussion.
It’s still not clear who the six individuals were, their alleged connection or roles within Cl0p or their current legal status (the release refers to them as “defendants”). John Hultquist, vice president at Mandiant Threat Intelligence, said the group operates around the world and traditionally targets a wide range of industries.
"The Cl0p operation has been used to disrupt and extort organizations globally in a variety of sectors including telecommunications, pharmaceuticals, oil and gas, aerospace, and technology," said Hultquist in a statement. "The actor FIN11 has been strongly associated with this operation, which has included both ransomware and extortion, but it is unclear if the arrests included FIN11 actors or others who may also be associated with the operation."
Allan Liksa, a ransomware analyst at Recorded Future, told SC Media in an email that Cl0p’s hasn’t posted a new victim on their leak site since May 10, indicating a reduced level of recent activity. Liska said some groups, like REvil, are “sprawling or resilient” while others like DarkSide have much smaller headcounts. Depending on how central the six individuals were, it could have a substantial impact on Cl0p’s operations.
“It is entirely possible that the arrests today are enough to shut down Cl0p's operation – we saw that with the Egregor takedown earlier this year; even though not everyone was arrested it was enough to spook the rest of the group and they have not conducted operations since,” said Liska in an email.
Others expressed skepticism, with Intel 471 saying early indications are that the raids and individuals were tied to Cl0p's money laundering operation. They "do not believe that any core actors behind [Cl0p] were apprehended" and that the overall impact to their operations "is expected to be minor."
The raids come after international authorities have taken a series of actions against both operators of ransomware and the vast ecosystem of IT infrastructure and money laundering processes they rely on to get paid. Following the Colonial pipeline attack, groups like DarkSide, Avaddon, Babuk and others have either gone underground or rebranded, while botnets like Egregor and Trickbot that have been known to facilitate ransomware have also been subject to raids and seizures.
Liska said that more coordinated law enforcement actions are needed, and noted that they may be discouraging smaller players in the ransomware scene from further operations. However, while the actions appear to be having an effect on the behavior of some large ransomware groups, they are not meaningfully slowing down the pace of observed attacks.
“In the month after the Colonial Pipeline attack there were almost 280 publicly reported hands-on-keyboard ransomware attacks. But, we have definitely seen a lot of 2nd and 3rd tier ransomware groups decide it is not worth the risk any more,” said Liska.