Operation Cyclone ending with Clop ransomware gang arrests

A thirty-month international operation targeted ransomware creators and ended in six arrests in Ukraine back in June

Clop ransomware targets operations involving Interpol and other law enforcement agencies

Further details were revealed about Operation Cyclone that was designed to stop the activities of the Clop ransomware creators.^[1] Ukrainian police arrested six suspects in 20 raids back in June. then, police seized computers, cars, other technology devices, and around $185,000.^[2] Over the weekend, new details came out revealing how the operation was held and how law enforcement agencies got involved.

Interpol's Cyber Fusion Centre started this operation named Operation Cyclone^[3] in Singapore. The operation also involved Ukrainian and US law enforcement agencies. Clop ransomware^[4] was targeted after the numerous campaigns released against companies in US and Korea.

The suspects are thought to have facilitated the transfer and cash-out of assets on behalf of the ransomware group whilst also threatening to make sensitive data public if additional payments were not made.

Threat actors released the malware to systems belonging to academic institutions, companies, businesses, and encrypted devices for extortion purposes. Organizations were demanded payments in exchange for the file recovery and also were blackmailed with the claims that if the payment is not transferred in time, the stolen data can get leaked online.

One of the major incidents took place in December 2020, when the Clop virus was released against E-Land Retail in South Korea^[5] and caused 23 out of 50 stores to temporarily close. Later the group claimed to have stolen at least 2,000,000 credit cards from the company with the help of point-of-sale malware.

Escalating ransomware attacks lead to law enforcement targeting threat groups

Critical infrastructures, healthcare, businesses, government infrastructures, and other institutions related to education get targeted by the ransomware, and these attacks become bigger and bigger in consequences, number of affected people, or financial losses. This is why law enforcement has been investigating and focused on criminal operations, even more than before for the last year.

These campaigns and operations against ransomware have already resulted in arrests and shutdowns of cryptocurrency-extortion-based threat gangs. Infrastructures related to cybercriminals get taken down more often recently. However, many threat actors manage to evade detection and remain active with their blackmail campaigns.

Netwalker ransomware got shut down, and arrests took place in Canada. Egregor ransomware was taken down, and creators also got arrested. Twelve individuals responsible for ransomware distribution against 1,800 victims got arrested last month. Other major threats like REvil, BlackMatter ransomware also got terminated by law enforcement operations.^[6]

Recent Clop attacks used vulnerabilities

The last attack associated with Clop ransomware combined the zero-day vulnerabilities and new web shell to affect at least 100 companies. Malicious actors used flaws in the Accellion secure file transfer gateway to steal particular private and confidential files. This campaign also involved the FIN11 threat group alongside the Clop gang. But the ransomware was not launched in this campaign.

The $10 million ransom was demanded, and since the transfer was not made, criminals publicly released the personal information belonging to the numerous attendees of different universities and colleges. These Accellion attacks targetted US education institutions: the University of Colorado, University of California, University of Miami, University of Maryland Baltimore.

The six suspects arrested back in June were allegedly linked to a Russian-language cybercriminals gang. Attacks aimed at various infrastructures and shutdowns of those companies cause major consequences in various industries. If convicted, these criminals can face up to eight years in prison.