Law enforcement officials in Ukraine have arrested six members of Cl0p, a ransomware gang that most recently was associated with attacks on Stanford University Medical School and on victims of an earlier breach at enterprise firewall company Accellion.
In a press statement Wednesday, the Cyberpolice of Ukraine described the arrests as resulting from an international operation involving law enforcement authorities from Korea, the United States, and Interpol. As part of the operation, Ukrainian police conducted searches in 21 homes in the capital city of Kiev and in the general region.
A video of the takedown shows officials seizing multiple luxury automobiles, computers, and the equivalent of about $185,000 in cash during the raids. In at least one instance, armed police are seen using what appears to be a gas-powered tool to cut through a locked door. In an earlier segment of the video, police are seen preparing to use the same gas-cutter when someone voluntarily opens the door. The video shows what appears to be Korean police officials observing the raids.
It’s unclear whether the six individuals who were arrested were the ringleaders of the operation or lower-level operatives. Ukrainian police described the Cl0p gang as responsible for over $500 million in damages to organizations in different parts of the world, including Korea and the United States. The six arrested individuals have been charged under Ukrainian law with offenses related to unauthorized access to computers, automated systems, and telecommunication networks. In addition, they have been accused of laundering money obtained through criminal means. The individuals face a maximum of up to eight years in prison if convicted on all charges.
The US Department of Justice did not immediately respond to a Dark Reading request seeking confirmation of the reported US participation in the takedown.
The Cl0p arrests add to a recent string of successes for international law enforcement against cybercrime groups beginning with the takedown of the notorious Emotet botnet operation in early January. That operation resulted in a noticeable decline in malware, exploit, and botnet activities in the first quarter of 2021, though security experts have said they expect the lull to be only temporary. The same week of the Emotet takedown, US authorities announced they had seized a dark website, arrested a Canadian national, and recovered $500,000 in stolen money associated with the Netwalker ransomware operations.
Other notable interdictions against cybergangs in recent months include the takedown of the Egregor ransomware group by Ukranian and French authorities this February. In June, just days after Colonial Pipeline confirmed it had paid ransomware group DarkSide more than $4 million following a crippling attack, US authorities announced they had recovered some $2.3 million of the ransom payment.
Few expect the string of arrests and takedowns to slow down ransomware attacks by a whole lot in the short term. But they appear to have at least some criminal groups rethinking their strategies.
(Image: Cyberpolice of Ukraine)
Kim Bromley, senior cyberthreat intelligence analyst at Digital Shadows, points to a recent decision by ransomware-as-a-service (RaaS) group Avaddon as one example. Earlier this month, the group said it was shutting down its operations over concerns of law enforcement actions and handing over decryption keys for 2,000 of its victims to a technology news site.
“Ziggy,” another ransomware operator, made a similar decision to quit — and for the same reasons — earlier this year, and DarkSide, the group behind the Colonial Pipeline attack, called it quits after its bitcoin stash and servers were seized.
Making Criminals Think Twice
The consternation over the Colonial Pipeline hack — and subsequent reports about the US equating ransomware attacks to terror attacks — also prompted some prominent underground forums to ban ransomware and RaaS advertising, sales, and other activity on their sites recently.
“While these arrests may make some ransomware operators think twice, it is unlikely that the threat of law enforcement action will be enough to halt them entirely,” Bromley says. “For many cybercriminals, the possibility of arrest is an accepted risk, and they will change tactics often to avoid detection.”
She also says it’s unlikely that ransomware attacks will slow down immediately because of recent law enforcement actions. So law enforcement and governments need to build on the momentum they have achieved by publicizing all action taken against ransomware.
“Every mention will remind ransomware operators that the pressure is on,” she says.
The Cl0p ransomware operation, though relatively well-known, is considered smaller than other groups, such as those behind REvil, aka Sodinokibi, Maze, Conti, and Netwalker. Industry analysts therefore think it’s unlikely that the group’s departure from the scene — if that is what this week’s arrests lead to — will change attack volumes by much.
“Although these takedowns, which usually target the most active ransomware groups, can have a short-term effect on disrupting ransomware operations, historically the vacuums left by these groups have been quickly filled by others,” says Andras Toth-Czifra, senior analyst at Flashpoint, which has been tracking Cl0p’s activities.
One issue is that while countries such as Ukraine have been willing to cooperate with the US on takedown operations, authorities in Russia, where a lot of ransomware activity is taking place, have been less willing to do so, he says. The fact that news of the arrests broke on the day of the Geneva summit is significant, Toth-Czifra says.
“We know that cybersecurity concerns were raised in the exchange between Presidents Biden and Putin,” he says.
If it emerges that the arrests that took place in Ukraine did not bring down the main infrastructure of Cl0p because it is situated in Russia, it will show the latter has assumed a more cooperative stance toward ransomware operators, Toth-Czifra says.
Oliver Tavakoli, CTO at Vectra, says the recent efforts by law enforcement represent a good start to long-term disruption of the ransomware economy.
“When the likelihood of repercussions rises, less people will be drawn into the business of ransomware,” Tavakoli notes.
Actions like infrastructure disruptions, and ransom recovery make ransomware less lucrative, and less people will be drawn to the ecosystem, he adds.
“It will require concerted and prolonged pushes to bend this curve in a positive direction, but these efforts represent a credible start,” Tavakoli says.