The Ukrainian authorities have made several arrests and seized multiple assets in a major takedown of the Cl0p (or Clop) ransomware operation that has also seen the disruption of a number of channels used by the gang to launder cryptocurrency.
The operation was conducted by the Cyberpolice Department alongside the Main Investigation Department of Ukraine’s National Police, with assistance from Interpol and law enforcement from South Korea and the US.
Six people are now in custody accused of carrying out ransomware attacks against four Korean companies and three US universities – named as Stanford Medical School, the University of Maryland and the University of California.
In a statement translated by Computer Weekly using Google services, the Ukrainian National Police said: “Law enforcement officials conducted 21 searches in the capital and Kiev region, in the homes of the defendants and in their cars. A unit of the Tactical and Operational Response of the Patrol Police was involved in the searches. Computer equipment, cars, and about 5m hryvnias [£130,750, €152,280 or $184,560] in cash was confiscated. The property of the perpetrators was seized.
“A criminal case under Part 2 of Article 361 (unauthorised interference in the work of computers, automated systems, computer networks or telecommunications networks) and Part 2 of Article 2019 (legalisation – laundering – of property obtained by criminal means) of the criminal code of Ukraine. The defendants face up to eight years in prison. Investigative actions continue.”
The Ukrainian authorities said the Cl0p crew caused $500m in damages during its multi-year crime spree, with other known victims including German software company Software AG and Maastricht University in the Netherlands.
According to Palo Alto’s Unit 42 research team, Cl0p’s activity had been ramping up in 2021 – it has conducted attacks on multiple organisations impacted in the Accellion supply chain incident – with targets spread across the wholesale and retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare and high-tech sectors worldwide.
As with many other groups, Cl0p practised double extortion and named and shamed its victims on a Tor leak site.