Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->
05:50 PM
Connect Directly

Ukraine Police Disrupt Cl0p Ransomware Operation

Growing list of similar actions in recent months may finally be scaring some operators into quitting, but threat is far from over, security experts say.

Law enforcement officials in Ukraine have arrested six members of Cl0p, a ransomware gang that most recently was associated with attacks on Stanford University Medical School and on victims of an earlier breach at enterprise firewall company Accellion.

Related Content:

Accellion Data Breach Resulted in Extortion Attempts Against Multiple Victims

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Is an Attacker Living Off Your Land?

In a press statement Wednesday, the Cyberpolice of Ukraine described the arrests as resulting from an international operation involving law enforcement authorities from Korea, the United States, and Interpol. As part of the operation, Ukrainian police conducted searches in 21 homes in the capital city of Kiev and in the general region.

A video of the takedown shows officials seizing multiple luxury automobiles, computers, and the equivalent of about $185,000 in cash during the raids. In at least one instance, armed police are seen using what appears to be a gas-powered tool to cut through a locked door. In an earlier segment of the video, police are seen preparing to use the same gas-cutter when someone voluntarily opens the door. The video shows what appears to be Korean police officials observing the raids.

It's unclear whether the six individuals who were arrested were the ringleaders of the operation or lower-level operatives. Ukrainian police described the Cl0p gang as responsible for over $500 million in damages to organizations in different parts of the world, including Korea and the United States. The six arrested individuals have been charged under Ukrainian law with offenses related to unauthorized access to computers, automated systems, and telecommunication networks. In addition, they have been accused of laundering money obtained through criminal means. The individuals face a maximum of up to eight years in prison if convicted on all charges.

The US Department of Justice did not immediately respond to a Dark Reading request seeking confirmation of the reported US participation in the takedown.

The Cl0p arrests add to a recent string of successes for international law enforcement against cybercrime groups beginning with the takedown of the notorious Emotet botnet operation in early January. That operation resulted in a noticeable decline in malware, exploit, and botnet activities in the first quarter of 2021, though security experts have said they expect the lull to be only temporary. The same week of the Emotet takedown, US authorities announced they had seized a dark website, arrested a Canadian national, and recovered $500,000 in stolen money associated with the Netwalker ransomware operations.

Other notable interdictions against cybergangs in recent months include the takedown of the Egregor ransomware group by Ukranian and French authorities this February. In June, just days after Colonial Pipeline confirmed it had paid ransomware group DarkSide more than $4 million following a crippling attack, US authorities announced they had recovered some $2.3 million of the ransom payment.

Few expect the string of arrests and takedowns to slow down ransomware attacks by a whole lot in the short term. But they appear to have at least some criminal groups rethinking their strategies.

Image: Cyberpolice of Ukraine
Image: Cyberpolice of Ukraine

Kim Bromley, senior cyberthreat intelligence analyst at Digital Shadows, points to a recent decision by ransomware-as-a-service (RaaS) group Avaddon as one example. Earlier this month, the group said it was shutting down its operations over concerns of law enforcement actions and handing over decryption keys for 2,000 of its victims to a technology news site.

"Ziggy," another ransomware operator, made a similar decision to quit — and for the same reasons — earlier this year, and DarkSide, the group behind the Colonial Pipeline attack, called it quits after its bitcoin stash and servers were seized.

Making Criminals Think Twice
The consternation over the Colonial Pipeline hack — and subsequent reports about the US equating ransomware attacks to terror attacks — also prompted some prominent underground forums to ban ransomware and RaaS advertising, sales, and other activity on their sites recently.

"While these arrests may make some ransomware operators think twice, it is unlikely that the threat of law enforcement action will be enough to halt them entirely," Bromley says. "For many cybercriminals, the possibility of arrest is an accepted risk, and they will change tactics often to avoid detection."

She also says it's unlikely that ransomware attacks will slow down immediately because of recent law enforcement actions. So law enforcement and governments need to build on the momentum they have achieved by publicizing all action taken against ransomware.

"Every mention will remind ransomware operators that the pressure is on," she says.

The Cl0p ransomware operation, though relatively well-known, is considered smaller than other groups, such as those behind REvil, aka Sodinokibi, Maze, Conti, and Netwalker. Industry analysts therefore think it's unlikely that the group's departure from the scene — if that is what this week's arrests lead to — will change attack volumes by much. 

"Although these takedowns, which usually target the most active ransomware groups, can have a short-term effect on disrupting ransomware operations, historically the vacuums left by these groups have been quickly filled by others," says Andras Toth-Czifra, senior analyst at Flashpoint, which has been tracking Cl0p's activities.

One issue is that while countries such as Ukraine have been willing to cooperate with the US on takedown operations, authorities in Russia, where a lot of ransomware activity is taking place, have been less willing to do so, he says. The fact that news of the arrests broke on the day of the Geneva summit is significant, Toth-Czifra says.

"We know that cybersecurity concerns were raised in the exchange between Presidents Biden and Putin," he says. 

If it emerges that the arrests that took place in Ukraine did not bring down the main infrastructure of Cl0p because it is situated in Russia, it will show the latter has assumed a more cooperative stance toward ransomware operators, Toth-Czifra says.

Oliver Tavakoli, CTO at Vectra, says the recent efforts by law enforcement represent a good start to long-term disruption of the ransomware economy.

"When the likelihood of repercussions rises, less people will be drawn into the business of ransomware," Tavakoli notes.

Actions like infrastructure disruptions, and ransom recovery make ransomware less lucrative, and less people will be drawn to the ecosystem, he adds.

"It will require concerted and prolonged pushes to bend this curve in a positive direction, but these efforts represent a credible start," Tavakoli  says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file