Law Enforcement Operation Targets Clop RansomwareInterpol Details 6 Suspected Members Tied to Money Laundering and Data Leaking
Following the arrest of suspected Clop ransomware operation members in Ukraine, Red Notices issued by Interpol seek the arrest of six more members of the Russian-speaking crime group, as part of what law enforcement agencies have dubbed Operation Cyclone.
The agency issued two Red Notices on Friday, alerting its 194 member countries following a request by South Korea’s cybercrime investigation division via Interpol’s National Central Bureau in Seoul.
A Red Notice is a request to law enforcement agencies worldwide to locate and provisionally arrest a person pending extradition, surrender or similar legal action, according to Interpol.
The notices were issued following the Ukraine arrest of six members of a notorious Clop ransomware family during a global operation coordinated by Interpol and also involving law enforcement agencies in South Korea, the U.S. and the National Police of Ukraine in June. (See: Ukraine Arrests 6 Clop Ransomware Operation Suspects)
Interpol did not immediately respond to a request for comment.
At the time of the operation in June, police in Ukraine said that the officers conducted 21 searches in the capital of Kyiv and the surrounding region, searching defendants' homes and cars, and seizing computer equipment, cars and about $185,000 in cash.
The police also said they disrupted infrastructure used in attacks.
News of the arrests came just hours before U.S. President Joe Biden was set to meet Russian President Vladimir Putin at a summit in Geneva.
Biden pushed Putin to do more to curtail global cyberattacks being launched by individuals from inside Russia's borders. Leading industrial nations at a meeting in England also called on "all states to urgently identify and disrupt ransomware criminal networks operating from within their borders and hold those networks accountable for their actions."
Operation Cyclone follows international law enforcement authorities investigating attacks against Korean companies and U.S. academic institutions by the Clop ransomware threat group.
The operation was coordinated from Interpol's cyber fusion center in Singapore.
In June, authorities said that the defendants had been involved in attacks against organizations in South Korea and the U.S., including Stanford University Medical School, the University of Maryland and the University of California.
Police say attacks in 2019 against just four unnamed South Korean firms resulted in 810 servers and PCs being crypto-locked by Clop ransomware.
As part of those attacks, police say, the Clop operation used a variety of tools, including pushing the FlawedAmmyy RAT onto systems to provide remote access and running Cobalt Strike penetration testing software to find exploitable vulnerabilities that would allow attackers to move across the network and infect more systems.
"Clop malware operators in Ukraine allegedly attacked private and business targets in Korea and the US by blocking access to their computer files and networks, and then demanded extortionate ransoms for restoring access. The suspects are thought to have facilitated the transfer and cash-out of assets on behalf of the ransomware group whilst also threatening to make sensitive data public if additional payments were not made," Interpol states.
If convicted of the hacking and money laundering charges against them, the suspects face up to eight years in prison.
Clop runs a ransomware-as-a-service operation. It offers a portal that affiliates can use to generate crypto-locking malware and then infect victims. Every time a victim pays, the operator and affiliate share the profits.
Interpol says that it deployed Operation Cyclone with the assistance of its private partners Trend Micro, CDI, Kaspersky Lab, Palo Alto Networks, Fortinet and Group-IB through Project Gateway, which shares vital information with the agency.
Project Gateway helps law enforcement agencies generate threat data from multiple sources and enables police authorities to prevent attacks.
“Despite spiraling global ransomware attacks, this police-private sector coalition saw one of global law enforcement’s first online criminal gang arrests, which sends a powerful message to ransomware criminals, that no matter where they hide in cyberspace, we will pursue them relentlessly,” says, Craig Jones, director of cybercrime at Interpol.
Interpol also reports that two South Korea-based cyberthreat companies, S2W LAB and KFSI, provided it with valuable dark web data analysis throughout the operation.
"Operation Cyclone continues to supply evidence that is feeding into further cybercrime investigations and enabling the international police community to disrupt numerous channels used by cybercriminals to launder cryptocurrency," Interpol states.