kras99 - stock.adobe.com

6 suspected Clop ransomware gang members arrested in Ukraine

The impact of the arrests is unknown, as Clop's ransomware leak site remains online after the arrests. The scale of the gang's current operation is also unknown.

The Clop ransomware gang has potentially taken a major blow, as six alleged members were arrested by Ukrainian Police in a joint law enforcement operation between Ukraine, the United States and South Korea.

Ukraine's National Police issued a press release Wednesday that it and the Ukrainian Cyberpolice conducted the local investigation via 21 searches of Clop suspects' residences and cars in both Kyiv and nearby areas. According to the press release, cars, computer equipment and a total of approximately 5 million hryvnias (about $185,000) was seized from suspects.

Clop (also known as Cl0p), which has been active since early 2019, has extorted hundreds of millions of dollars from organizations and individuals since its inception. The Eastern European gang utilizes the now standard name-and-shame tactics of modern ransomware; it encrypts the user's files and threatens to publish victim data on the gang's leak site. Clop's leak site was launched in March 2020, about a year after its earliest known attack.

Clop ransomware Ukraine arrest
The Clop law enforcement operation was conducted in collaboration with South Korean and U.S. police.

Two of the largest attacks the group has been tied to include a ransomware attack against German enterprise software vendor Software AG and the breach of cloud service vendor Accellion.

The gang is accused in the press release of attacking four Korean companies in 2019, encrypting 810 internal servers and employee personal computers in the process. Clop is also accused of attacking Stanford University's School of Medicine, the University of Maryland and the University of California with ransomware.

SearchSecurity asked Ukraine's National Police and Cyberpolice for clarification on this second accusation, as a ransomware attack on the universities conducted by Clop had not been previously reported. In addition, University of Maryland and Stanford both attributed the breaches to Accellion. Neither agency responded to SearchSecurity's emails.

The arrests were seemingly not a complete takedown of the gang, as Clop's ransomware leak site remains online. However, the current scope of damage done to Clop's operations is unknown.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Next Steps

DarkSide ransomware funded by cybercriminal 'investors'

March ransomware disclosures spike behind Clop attacks

Ransomware actors exploiting MoveIt Transfer vulnerability

Dig Deeper on Security operations and management