Police Bust Major Ransomware Gang Cl0p

Police in Ukraine announced it arrested members of the ransomware gang that called itself Cl0p, seizing computers and cash in a major international operation.
June 16, 2021, 1:18pm
Police agent and
Image: Cyberpolice Ukraine

The Ukrainian police, in collaboration with Interpol and law enforcement agencies from South Korea and the United States, have arrested members of the infamous ransomware group known as Cl0p, according to a press release from Ukrainian police. 

Advertisement

On Wednesday, the Cyber-Police Department of the National Police of Ukraine announced the arrests, referring to six defendants, and said it conducted 21 searches in the homes of the alleged hackers and in their cars in and around Kiev. The cops said they confiscated 500 million Ukrainian hryvnia (roughly $180,000), computers, and cars.

The police published a video of the busts, which shows local law enforcement agents, as well as Korean agents, entering the houses of the suspects, going through their belongings, and counting cash. The video also shows officers attempting to access devices using gear from Cellebrite, the Israeli digital forensics company. 

It's unclear how many people were arrested, and whether the arrests hit the main developers and hackers behind the gang. As of Wednesday morning, Cl0p's dark web site was still online. 

The Ukraine cyber police said in an email to Motherboard that it “identified six criminals,” but “cannot name the people involved and other details, except those mentioned in our publication, so as not to harm the investigation.”

In the last few months Cl0p hit dozens of victims, encrypting their files and demanding a ransom. More recently, the hackers were trying to extort their victims by threatening to leak their files publicly on their dark web site, which displays 57 companies as of Wednesday. 

Advertisement

These victims include: oil giant Shell, security company Qualys, U.S. bank Flagstar, the controversial global law firm Jones Day, Stanford University, and University of California, among several others. The hackers were able to hack some of these victims by taking advantage of a flaw in Accellion File Transfer Appliance (FTA), a file-sharing service used by around 300 companies all over the world, according to Accellion.

Screen Shot 2021-06-16 at 8.57.56 AM.png
Screen Shot 2021-06-16 at 8.57.28 AM.png

Security researchers have tracked Cl0p for years, and have described the gang as a "criminal enterprise" that is "ruthless," "sophisticated and innovative," "well-organized and well-structured," and "very active—almost tireless."

When Motherboard profiled the group in April, some of the researchers who tracked them for years predicted that the gang would not last long. 

Advertisement

"It's only a matter of time before they make a mistake which will help [law enforcement to identify its members," Antonis Terefos, a researcher at SentinelOne who has studied the group.

Researchers from Talon, a division of South Korean cybersecurity company S2WLAB, which also tracked Cl0p, said that “if criminals keep doing something, no matter how quietly, in the end they would be caught.”

“Recently there are tons of ransomware gangs and stealer operators,” researchers said in an email to Motherboard. “We will keep tracking them and analyze the crime until they make decisive mistakes.”

Do you have knowledge of the inner workings of Cl0p or another ransomware gang? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, lorenzofb on Wickr, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com

Subscribe to our cybersecurity podcast, CYBER.