As a result of a joint operation carried out with the assistance and coordination of Interpol by law enforcement agencies and the cyber police of Ukraine, South Korea and the United States, six suspects linked with the notorious Clip ransomware were arrested.
Sources close to the investigation told The Record that South Korean police launched an investigation on the hackers last year after the group attacked the South Korean e-commerce giant e-Land in November 2020. Due to this attack, the Korean company has closed almost all of its stores.
Ukrainian police say they have conducted 21 searches in the capital of the country and the Kiev region, in the homes of the defendants and in their cars. As a result, were seized: computer equipment, cars (Tesla, Mercedes and Lexus) and about 5 million hryvnia in cash (about $183 thousand), which, according to the authorities, were received from the victims as ransoms. The property of the suspects has been seized.
After the operation, authorities said they had successfully shut down the hackers’ server infrastructure that had been used to carry out past attacks.
Interestingly, according to information from the information security company Intel 471, the Ukrainian authorities arrested people who are only involved in money laundering for Clop operators, while the main members of the hack group are most likely in Russia.
The first Clop attacks were recorded back in February 2019. Researchers consider this group a “big game hunter”, that is, hackers attack only large networks and companies, not home users.
For two and a half years of activity, Clop operators hacked many large corporations and demanded ransom of tens of millions of US dollars for each victim. If the victims refused to pay, the attackers resorted to double extortion tactics, threatening to publish the data of the victims on their website on the darknet (it should be noted that, despite the arrests, the site is still working).
According to Fox-IT’s November 2020 report, Clop operators are closely associated with hack group TA505, which allows attackers to deploy Clop on computers previously infected with SDBbot malware.
Also, according to FireEye, Clop operators made a deal with the FIN11 criminal group, allowing FIN11 members to use data that hackers had previously stolen from compromised Accellion FTA devices.
Let me remind you that I also wrote that France are looking for LockerGoga ransomware developers in Ukraine.