Last week, police in Ukraine announced that they arrested several members of the infamous ransomware gang known as Cl0p. The arrests were seen as a victory against a hacking gang that has hit dozens of victims in the last few months, including U.S. bank Flagstar, law firm Jonesday, Shell, and some Universities in the US.
But less than a week later, hackers associated with the gang posted data they claim was stolen from a new victim on their dark web site. This new leak, designed to pressure the company to pay the money the hackers are asking for, shows that the arrests in Ukraine have not slowed down the hackers. It is unclear when the new company was hacked and whether this was data that had been hacked before the arrests but hadn't been posted until now, or whether it was a new hack altogether. Either way, it indicates that the group is still active in some way.
"The fact that data has been posted suggests that the action by the Ukrainian police may not have involved core members of the threat group or completely disrupted their operations," Brett Callow, a security researcher at Emsisoft, which specializes in tracking ransomware, said in an email.
The hackers did not immediately respond to an email sent to the address publicized on their site.
Do you have knowledge of the inner workings of Cl0p or another ransomware gang? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, lorenzofb on Wickr, OTR chat at email@example.com, or email firstname.lastname@example.org
Last week, the Cyber-Police Department of the National Police of Ukraine said in an email to Motherboard that it had “identified six criminals,” but refused to answer any specific questions about the people arrested “so as not to harm the investigation.”
The police said it conducted 21 searches in the homes of the alleged hackers and in their cars in and around Kiev. The cops said they confiscated 500 million Ukrainian hryvnia (roughly $180,000), computers, and cars.
The police did not immediately answer an email asking for comment on Tuesday.
Now that Cl0p has resurfaced, it's clear that the arrests have not hit the core group that runs the criminal enterprise, which researchers in the past have called "ruthless," "sophisticated and innovative," "well-organized and well-structured," and "very active—almost tireless."
In other words, the fight against Cl0p is far from over.
Subscribe to our cybersecurity podcast, CYBER.