Ukrainian authorities take down Clop ransomware group

With the help of international partners, Ukraine seizes control of a dangerous ransomware gang's servers

Recent raids by a joint operation group resulted in Clop ransomware takedown

In a released statement^[1] on June 16, 2021, Ukrainian law enforcement agencies have revealed that in partnership with Interpol, and institutions from Korea and the U.S., they have arrested 6 members of the infamous Clop ransomware gang. In addition, the Cyberpolice Department of the Ukrainian National Police also stated that they've taken down the infrastructure used to employ attacks globally.

According to sources, the joint authorities' operation resulted in raids on 21 residences in the country's capital Kyiv and nearby towns. During them, dozens of computers, smartphones, luxury vehicles (Tesla's, Mercedes AMG63, etc.), and over 5 million in local currency hryvnias (approx. $185,000) were seized.

Law enforcement agencies seized the defendants' homes and reportedly took down the gang's server infrastructure used for cyberattacks. However, their page to leak information stolen from victims if they don't pay the demanded ransom is still operational.^[2] All apprehended cybercriminals face up to eight years in prison for violating various laws, including ransomware attacks and money laundering.

Clop ransomware group attacked high-profile targets

Cybersecurity analysts first spotted Clop ransomware^[3] activity in 2019. What made the group's attacks famous is that they used a double extortion scheme, where the victims are threatened that if they don't forward the demanded amount in cryptocurrency, the assailants will release the confidential data downloaded before the encryption, on the internet, in particular, the dark web portal CL0P^-LEAKS.

Unlike other ransomware groups that target regular people and demand small ransoms, the Clop gang attacked only high-profile targets and asked for huge amounts of money. Some of the most notable victims were:

• ExecuPharm,
• Accellion,
• Qualys,
• E-Land,
• Software AG IT,
• The University of California,
• Indiabulls, Maastricht University,
• The University of Maryland,
• Stanford University Medical School.

With the released statement, the Cyberpolice Department of the Ukrainian National Police also uploaded a montage video of the raids on the alleged criminal residences. Korean law enforcement operatives are seen on the spot. That's no surprise, as last year, the Clop ransomware group attacked Korea's e-commerce giant E-Land.^[4]

The incident crippled the company's functionality for days, and the criminals managed to obtain over 2 million credit cards belonging to the retailer's customers. Ukrainian police representative has stated that the damage of the ransomware group attacks could reach approximately $500 million.

Fearful of the same consequences, the Avaddon ransomware group shuts down its operations

In the midst of all the recent international government agencies' sting operations against cybercriminals groups, one of the prolific gangs, the Avaddon ransomware-as-a-service (RaaS) hackers, have quit their dirty business.^[5] Until then, they were actively attacking various sectors (Energy, financial, government, etc.) in different countries, including Germany, the U.S, France, India, Australia, and many others.

What might have pushed the cybercriminals into early retirement was the released alert^[6] by the Australian Cyber Security Centre and the FBI. It contained various details about the group's activity and peculiarities of their ransomware attacks.

But the Avaddon group criminals showed their benevolence by not taking their victims down with their dirty empire. Instead, they've released almost 3,000 decryption keys, with each of them belonging to an individual ransomware victim so they could unlock their precious data.