Hackers from Cl0p ransomware group arrested, infrastructure seized

The Cl0p ransomware group has been busted in Ukraine while its cyberinfrastrusture has been seized in Ukraine by law enforecment agencies.

This year, Cl0p ransomware operators have regularly appeared in the news. The group has been striking businesses worldwide espicially to extort money from businesses based in the United States.

In the latest, the Ukrainian police has confirmed carring out an operation against hackers affiliated with Cl0p ransomware. The operation was a joint collaboration with law enforcement agencies from the USA and South Korea.

According to Ukranian authorities, the suspects used Cl0p encryption software to demand ransom from their victims in exchange for the access key. The police didn’t disclose the identities of the suspects but revealed that they used Cl0p ransomware to target victims.

Double-Extorsion Used to Threaten Victims

Ukrainian police have revealed that the hackers used a double-extortion strategy to threaten their victims of possible data leakage if they don’t pay the ransom. It is estimated that six hackers were involved in an attack that occurred in 2019 and impacted 810 computers of an unnamed company in South Korea. In this attack, the group also used Flawedammyy RAT to compromise the targeted devices.

$500 Million in damaged Incurred

As previously reported by Hackread.com, Cl0p ransomware operators attacked and encrypted personal data from 6 universities in the United States including the University of California, the University of Maryland, and Stanford University Medical School.

The same group was behind breaching the following:



Jones Day

Software AG

Aviation giant Bombardier

Pharmacutial giant ExecuPharm

Ukrainian police claim that $500 million in damages have been incurred so far, but it is unclear if anyone was arrested in operation. Moreover, Ukrainian authorities revealed that they have shut down the infrastructure used to spread the virus and blocked channels used to legalize ransom payment in cryptocurrencies.

Images shared by the Ukrainan Cyber Police

About the Operation

The Ukrainian police have posted a video of the operation to provide details of how it was conducted. A total of 21 searches were carried out in the capital city of Kyiv, during which the houses and vehicles of suspects were searched. More than $180,000 in cash in Ukrainian currency was seized by the police.

Cl0p Ransomware Group Breaking the Boundaries

Lately, the Cl0p ransomware operators have been making news left, right, and center. They are now regarded as the ‘big game hunter’ due to the sheer volume of their attacks. The group and its associates have carried out mass attacks against Shell oil company and US bank Flagstar.

Between January and February 2021, the group targeted Broward County Public Schools in Florida, where they demanded $40 million in ransom, Canada-based business/commercial aircraft manufacturer Bombardier, and gained access to financial and passport documents of faculty and students of six high-profile US universities.

Victims of Cl0p ransomware according to the group’s website (Image: Hackread.com)

The group is reportedly associated with a larger group of hackers known as TS505 and F1N11.

Expert comment

In a conversation with Hackread.com, John Hultquist, VP of Analysis, Mandiant Threat Intelligence said that: “The Cl0p operation has been used to disrupt and extort organizations globally in a variety of sectors including telecommunications, pharmaceuticals, oil and gas, aerospace, and technology.

“The actor FIN11 has been strongly associated with this operation, which has included both ransomware and extortion, but it is unclear if the arrests included FIN11 actors or others who may also be associated with the operation,Hultquist added

“The arrests made by Ukraine are a reminder that the country is a strong partner for the US in the fight against cybercrime and authorities there are making the effort to deny criminals a safe harbor. This is especially relevant as President Biden and Putin discuss the state of cyberthreats emanating from Russia, including the ransomware threat, which has increasingly threatened critical infrastructure and the everyday lives of people around the world,” Hultquist noted.

At the time of publishing this article, the official website of Cl0p ransomware gang was still online and available for visitors through Tor browser.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts