Ukraine Arrests 6 Clop Ransomware Operation SuspectsClop's Data Leak Extortion Site Hosted Stolen Accellion File Transfer Appliance Data
Just before Wednesday's U.S.-Russia summit at which cybercrime was high on the agenda, authorities in Ukraine announced they had busted six suspected members of the Clop ransomware operation.
See Also: Top 50 Security Threats
The arrests were made as part of an ongoing, international operation coordinated by Interpol and also involving law enforcement agencies in South Korea and the U.S., the National Police of Ukraine said Wednesday.
Police in Ukraine say officers conducted 21 searches in the capital of Kyiv and the surrounding region, searching defendants' homes and cars, and seizing computer equipment, cars and about $185,000 in cash. Police say they also disrupted infrastructure used in attacks.
Authorities say the defendants were involved in attacks against organizations in South Korea and the United States, including Stanford University Medical School, the University of Maryland, and the University of California.
Police say attacks in 2019 against just four unnamed South Korean firms resulted in 810 servers and PCs being crypto-locked by Clop ransomware. As part of those attacks, police say the Clop operation used a variety of tools, including pushing "FlawedAmmyy" RAT onto systems to provide remote access and running Cobalt Strike penetration testing software to find exploitable vulnerabilities, allowing attackers to move across the network and infect more systems.
If convicted of the hacking and money laundering charges against them, the suspects face up to eight years in prison.
Interpol did not immediately respond to a request for comment.
News of the arrests came just hours before U.S. President Joe Biden was set to meet Russian President Vladimir Putin at a summit in Geneva on Wednesday. Biden has been calling on Putin to do more to curtail global cyberattacks being launched by individuals from inside Russia's borders. Leading industrial nations on Sunday, at a meeting in England, also called on "all states to urgently identify and disrupt ransomware criminal networks operating from within their borders and hold those networks accountable for their actions."
"The arrests made by Ukraine are a reminder that the country is a strong partner for the U.S. in the fight against cybercrime and authorities there are making the effort to deny criminals a safe harbor," says John Hultquist, vice president of analysis at Mandiant Threat Intelligence. "This is especially relevant as presidents Biden and Putin discuss the state of cyberthreats emanating from Russia, including the ransomware threat, which has increasingly threatened critical infrastructure and the everyday lives of people around the world."
Clop runs a ransomware-as-a-service operation. It offers a portal that affiliates can use to generate crypto-locking malware and then infect victims. Every time a victim pays, the operator and affiliate share the profits.
"Clop ransomware has been active since February 2019 and targets large organizations for big game hunting," says Kim Bromley, a senior cyber threat intelligence analyst at threat intelligence firm Digital Shadows. Big game hunting refers to targeting bigger victims and seeking larger ransom payouts, including charging twice - once for a decryptor and again for a promise to delete stolen data.
Experts say Clop's attacks have reached far and wide. "The Clop operation has been used to disrupt and extort organizations globally in a variety of sectors including telecommunications, pharmaceuticals, oil and gas, aerospace and technology," says Mandiant's Hultquist.
A major user of Clop has been a group Mandiant designates as FIN11, which regularly wages ransomware attacks and extortion campaigns. "But it is unclear if the arrests included FIN11 actors or others who may also be associated with the operation," Hultquist says.
Threat intelligence firm Intel 471 classifies Clop as being one of the top 15 ransomware operations, but not in the top tier, which includes Egregor, DopplePaymer, REvil - aka Sodinokibi - and Ryuk. Clop was especially active at the beginning of the year, according to ransomware incident response firm Coveware.
"Clop's reported activity level is relatively low when compared with the likes of REvil - aka Sodinokibi - or Conti," says Digital Shadows' Bromley.
Arrests Snare Small Fish?
Some cybercrime watchers say that the arrested suspects do not appear to be core members of Clop, aka Cl0p.
"The law enforcement raids in Ukraine associated with Clop ransomware were limited to the cash-out/money laundering side of Clop's business only," according to Intel 471. "We do not believe that any core actors behind Clop were apprehended and we believe they are probably living in Russia."
Individuals associated with a gang who handle the cashing out of attacks, including money mules, as well as money laundering, tend to be easily replaced, experts say.
Even so, the disruption of Clop's operations may drive the group's core members to lay low.
"The overall impact to Clop is expected to be minor, although this law enforcement attention may result in the Clop brand getting abandoned as we've recently seen with other ransomware groups like DarkSide and Babuk," Intel 471 says.
Pace of Disruptions Increasing
The announcement that individuals tied to the Clop operation were arrested follows the Avaddon operation on Friday claiming to have retired and releasing for free all of the private keys used to encrypt victims' systems (see: 'Fear' Likely Drove Avaddon's Exit From Ransomware Fray).
Clearly, more law enforcement agencies are gunning for ransomware operations. "With Avaddon, NetWalker, Babuk and Clop all having retired, been disrupted or altered their business model, the ransomware landscape is going through what’s probably its biggest-ever shakeup," says Brett Callow, a threat analyst at security firm Emsisoft.
"For a long time, groups have operated with almost complete impunity, but that’s finally starting to change," he says. "Successful law enforcement action doesn’t only take the targeted threat actor out of action, it also has a deterrent effect, and that’s exactly what we need."
Ransomware refers to a broad constellation of crimes, which can include crypto-locking malware, but also digital extortion, including exfiltrating data from victims before forcibly encrypting their systems. Many ransomware gangs, including Clop, run dedicated data leak sites designed to increase the pressure on victims to pay.
Any victim who declines to pay a ransom can find themselves "named and shamed" on the data leak site. Continued nonpayment may lead to a ransomware operation leaking stolen details. If victims still won't pay, criminals often dump all stolen data for download by anyone, as a lesson to future victims.
As of Wednesday, no reference to the arrests in Ukraine had been posted to the "Clop leaks" site.
Zero-Day Accellion FTA Attack
Unusually, Clop came into possession of a massive trove of exfiltrated data that had been stolen from organizations using Accellion File Transfer Appliance via a sophisticated attack. It then used that data to shake down victims.
Here's how: Someone - it's not clear who - reverse-engineered the nearly 20-year-old FTA code and launched a zero-day attack against users last December, targeting two flaws they had discovered that allowed them to steal all data being stored on the devices. After Accellion patched those flaws, in January, attackers targeted two more, which the vendor also quickly patched.
But numerous organizations using Accellion FTA fell victim to the attacks, and their stolen data found its way onto Clop's data leak site, with the operation demanding a ransom be paid for its removal and promised deletion.
Accellion users whose systems were breached by FTA-targeting attackers, and whose data later appeared on the Clop data leak site, include Australia's securities regulator ASIC, government agency Transport for New South Wales, QIMR Berghofer Medical Research Institute and security firm Qualys.
None of those organizations reported that their Accellion data had been crypto-locked. But the National Police of Ukraine claims that "the defendants attacked and encrypted the personal data of employees and financial reports of Stanford University Medical School, the University of Maryland and the University of California." Both Stanford and the University of Maryland have confirmed that they were victims of the Accellion FTA attacks, resulting in data being stolen, but did not state that any data had been crypto-locked.