Ukrainian law enforcement officials announced Wednesday that they had arrested several individuals involved in criminal activity committed by the Clop ransomware gang, a cybercriminal gang that helped popularize the “double extortion” model of not only threatening to encrypt a victim’s files, but also threatening to release confidential data that was stolen in an earlier breach.
According to a press release issued by Ukrainian authorities, law enforcement officials also shut down infrastructure that was used to spread the cybercrime gang’s ransomware, which was first spotted in February of 2019 as a new variant of the Cryptomix family.
"Together, law enforcement has managed to shut down the infrastructure from which the virus spreads and block channels for legalizing criminally acquired cryptocurrencies," the press release reportedly said, according to a translation from BleepingComputer. “Law enforcement officers conducted 21 searches in the capital and Kyiv region, in the homes of the defendants, and in their cars."
Ukrainian law enforcement reportedly said that the Clop ransomware gang has caused roughly $500 million in financial damages, and that the individuals arrested could face up to eight years in prison.
As seen in a video of the arrests, Ukrainian officers were aided by investigators from South Korea. BleepingComputer reported that the arrest effort also included coordination from officials in the United States. In the video, nearly $30,000 are laid out in the floor, in $100 bills, and several cars, including a Mercedes Benz, a Tesla, and a Lexus, are taken away.
The international coordination effort represents at least the second time this year that countries have come together to fight cybercrime. In January, a coalition of countries collaborating through Europol helped take down Emotet by also attacking its infrastructure.
But whereas the Emotet takedown seems to have caused a significant disruption to that cyberthreat, the arrests made against Clop could present a smaller roadblock. That’s because, according to the cybersecurity company Intel 471, none of the actual members of the Clop ransomware gang were caught.
Instead, the arrests involved money launderers, Intel 471 said.
"The law enforcement raids in Ukraine associated with CLOP ransomware were limited to the cash-out/money laundering side of CLOP's business only," Intel 471 told BleepingComputer. "We do not believe that any core actors behind CLOP were apprehended and we believe they are probably living in Russia.”
The arrests also represent the second time in weeks that authorities have targeted a cybercrime gang by following the money. In early June, the US Department of Justice announced that it had recovered the majority of the ransom payment made by Colonial Pipeline to its attackers, the cybercriminal group called Darkside. By tracking the ransomware payment through the public Bitcoin ledger, the Department of Justice and the FBI managed to retrieve 63.7 bitcoins.
Cryptocurrencies have long been abused to fund cybercrime, and, perhaps with the recent retrieval of Colonial Pipeline's ransom payment, that intersection will continue to be closely scrutinized. If so, it would fall in line with the Ransomware Task Force's recommendations made in April, which suggested that governments lean further into regulating cryptocurrency.
While Clop was not particularly active last year—it did not enter our top 10 malware threats for businesses or consumers in 2020—the operators behind the ransomware still found ways to squeeze their victims. Inspired last year by the ransomware group Maze, Clop infiltrated company networks to steal sensitive data and then demanded that those organizations pay a ransom to keep the data secret. But this year, Clop refined that tactic by targeting corporate executives’ machines, hoping that executives would have more access to sensitive files and data. The idea was simple: Better access to sensitive data, better chance that a victim will pay to keep that data from being published.
As of Wednesday afternoon, according to BleepingComputer, Clop’s Tor payment site and data leak site were still operational.