Ukrainian law enforcement officials arrested six members of the ransomware group Cl0p, which was recently linked to the attack on the Stanford University School of Medicine and the victims of an early intrusion by the corporate firewall company Accellion.
In a press statement on Wednesday, Ukrainian cyber police described the arrest as an international operation involving South Korea, the United States, and Interpol’s law enforcement authorities. As part of the operation, Ukrainian police searched 21 houses in the capital Kiev and the entire region.
A video of the take-away operation shows that during the raid, officials confiscated multiple luxury cars, computers and approximately US$185,000 in cash. In at least one instance, someone saw armed police using a tool that appeared to be gas-powered to cut open a locked door. In an earlier clip of the video, when someone voluntarily opens the door, the police can be seen preparing to use the same gas cutter. The video showed that it appeared that South Korean police officials were observing the raid.
It is not clear whether the six arrested were the chief of the operation or subordinate agents. Ukrainian police claimed that the Cl0p group caused more than 500 million U.S. dollars in damage to organizations in different parts of the world, including South Korea and the United States. The six arrested persons have been charged under Ukrainian law with unauthorized access to computers, automated systems and telecommunications networks. In addition, they were also accused of laundering money through criminal means. If all charges are convicted, these people will face up to eight years in prison.
The U.S. Department of Justice did not immediately respond to the secret reading request to confirm the U.S. involvement in the report of the removal.
Beginning with the removal of the infamous Emotet botnet operation in early January, the arrest of Cl0p adds to the recent successes of international law enforcement agencies in combating cybercrime groups. The action resulted in a significant reduction in malware, exploits, and botnet activity in the first quarter of 2021, but security experts said they expect this calm to be temporary. In the same week that Emotet was deleted, US authorities announced that they had seized a dark website, arrested a Canadian national, and recovered US$500,000 in stolen money related to the operation of the Netwalker ransomware.
Other notable bans on cyber gangs in recent months include the banning of the Egregor ransomware organization by Ukrainian and French authorities in February of this year. In June, just a few days after Colonial Pipeline confirmed that it had paid more than $4 million to the ransomware organization DarkSide after a serious attack, the US authorities announced that they had recovered a ransom of approximately $2.3 million.
Few people expect that a series of arrests and deletions will significantly slow down ransomware attacks in the short term. But they seem to have at least made some criminal groups reconsider their strategies.
Kim Bromley, senior cyber threat intelligence analyst at Digital Shadows, cited the recent decision of Avaddon, a ransomware-as-a-service (RaaS) group, as an example. Earlier this month, the organization stated that it would shut down its business due to concerns about law enforcement and hand over the decryption keys of 2,000 victims to a technology news website.
Another ransomware operator “Ziggy” made a similar exit decision earlier this year-for the same reason-DarkSide, the organization behind the Colonial Pipeline attack, announced its withdrawal after its Bitcoin storage and servers were seized.
Make criminals think twice
The fear of the Colonial Pipeline hacking — and subsequent reports about the United States equating ransomware attacks with terrorist attacks — also prompted some well-known underground forums to recently ban ransomware and RaaS advertising, sales, and other activities on their websites.
“While these arrests may make some ransomware operators think twice, the threat of law enforcement actions is unlikely to be enough to stop them completely,” Bromley said. “For many cybercriminals, the possibility of arrest is an acceptable risk, and they will often change their strategies to avoid detection.”
She also said that due to recent law enforcement actions, ransomware attacks are unlikely to slow down immediately. Therefore, law enforcement agencies and governments need to consolidate their momentum by publishing all actions taken against ransomware.
“Every mention reminds ransomware operators that pressure is increasing,” she said.
Although the Cl0p ransomware operation is relatively well-known, it is considered smaller than other organizations, such as the organizations behind REvil, aka Sodinokibi, Maze, Conti, and Netwalker. Therefore, industry analysts believe that the organization’s departure is unlikely — if this is the result of this week’s arrest — will drastically change the volume of attacks.
“Although these removals, which usually target the most active ransomware organizations, will have a short-term impact on disrupting ransomware operations, historically, the vacuum left by these organizations was quickly filled by other organizations,” senior analyst Ander Said Andras Toth-Czifra. Flashpoint, it has been tracking the activities of Cl0p.
He said that one problem is that although Ukraine and other countries are willing to cooperate with the United States to carry out deletion operations, the Russian authorities, which have a large number of ransomware activities, are not willing to do so. Toth-Czifra said the fact that the news of the arrest broke out on the day of the Geneva summit is significant.
“We know that cybersecurity issues were raised in the exchange between President Biden and President Putin,” he said.
Toth-Czifra said that if it is discovered that the arrests in Ukraine did not paralyze the main infrastructure of Cl0p because of its location in Russia, it will show that the latter has taken a more cooperative stance against ransomware operators.
Oliver Tavakoli, CTO of Vectra, said that the recent efforts of law enforcement agencies represent a good start to the long-term destruction of the ransomware economy.
“When the likelihood of impact increases, fewer people are attracted to the ransomware business,” Tavakoli points out.
He added that actions such as infrastructure outages and ransom restoration will reduce the profits of ransomware and attract fewer people into the ecosystem.
“To make this curve bend in a positive direction requires concerted and long-term efforts, but these efforts represent a reliable start,” Tavacoli said.
Jai Vijayan is an experienced technical journalist with more than 20 years of experience in the IT trade news field. He recently served as the senior editor of Computerworld, responsible for the information security and data privacy issues of the publication.In the course of his 20 years… view the complete bio