Police in Ukraine arrested hackers from the ransomware group Cl0p, seizing high-end computers, luxury cars, and 5 million Ukrainian hryvnia ($185,000) in cash, authorities said.
The Ukrainian cyber police department worked alongside the National Police of Ukraine, Interpol, South Korean, and American law enforcement to take the gang members into custody. Six members of Cl0p (or Clop) are now behind bars, accused of cyberattacks against four Korean companies and three U.S. universities. Damages in the attacks reached $500 million, the statement said.
The victimized universities named were Stanford University Medical School, the University of Maryland, and the University of California. Though the South Korean companies weren’t named in the statement, Clop spent nearly a year stealing two million credit card details from Seoul-based retailer E-Land.
The Many Victims of Cl0P Ransomware Attacks
Plenty of other victims have been traced back to CloP, with universities topping the lists of their favorite targets, including the University of Miami and the University of Colorado in the United States. In the Netherlands and Belgium, CloP hit Maastricht University and the University of Antwerp respectively.
In one of their most far-reaching attacks, Clop took advantage of a vulnerability in Accellion File Transfer Appliance (FTA) servers to steal customer data. Companies use FTA services to share files that are too large for an email with individuals outside their organization. Since Accellion is a third-party provider of these hosted FTA services, the attack was extensive.
CloP used the stolen data for extortion, reportedly demanding upwards of $10 million in Bitcoin from victims. In these kinds of ransomware attacks, the payment is in exchange for their stolen data. If the victims don’t pay up, the group threatens to post their stolen data on the dark web. Renowned law firm Jones Day was just one of these victims.
What is Cl0p Ransomware?
CloP is a different kind of malware because it attacks entire computer networks, not just individual computers. Once Cl0p gets inside the network, it encrypts files and adds a .clop extension to all filenames.
In order to take over Windows files, Clop closes all Windows operating processes, namely Windows Defender. The ransomware can also close down Microsoft Office, Steam, and a variety of browsers.
Clop also disables any possible data or backup recovery on infected systems. Clop either encrypts or deletes any backups, and reformats connected backup disks. The network is effectively held hostage.
Users on the network will find a readme file on their devices once the cyberattack is finished. It’s usually a message with a ransom demand, and details on making ransom payments. If paid, attackers will supposedly decrypt the files and return control of the network.
Clop was discovered in February 2019 but is constantly evolving and becoming more sophisticated in its attacks.
A Larger Problem in Stolen Data and Ransomware Gangs
The raid comes at a time when ransomware is dominating international cybersecurity concerns. Clop’s attacks on high-profile companies and universities were just a drop in the bucket. Russian and Eastern European ransomware gangs are attacking all kinds of targets.
A ransomware attack wreaked havoc on one of the largest fuel pipelines in the US when it caused the Colonial Pipeline to shut down earlier this year. The Russian criminal gang DarkSide is suspected to be behind that attack. The Washington DC Metropolitan Police was reportedly hacked by the Russian Babuk ransomware gang, while JBS Foods was supposedly hacked by REvil. The Belgian government’s computer network Belnet also experienced debilitating cyberattacks in 2021.
In light of these attacks on the United States, Jerome Powell, Chair of the Federal Reserve, says cyberattacks are currently the biggest threat to the economy.