June 16, 2021

Authorities in Ukraine this week charged six people alleged to be part of the CLOP ransomware group, a cybercriminal gang said to have extorted more than half a billion dollars from victims. Some of CLOP’s victims this year alone include Stanford University Medical School, the University of California, and University of Maryland.

A still shot from a video showing Ukrainian police seizing a Tesla, one of many high-end vehicles seized in this week’s raids on the Clop gang.

According to a statement and videos released today, the Ukrainian Cyber Police charged six defendants with various computer crimes linked to the CLOP gang, and conducted 21 searches throughout the Kyiv region.

First debuting in early 2019, CLOP is one of several ransomware groups that hack into organizations, launch ransomware that encrypts files and servers, and then demand an extortion payment in return for a digital key needed to unlock access.


CLOP has been especially busy over the past six months exploiting four different zero-day vulnerabilities in File Transfer Appliance (FTA), a file sharing product made by California-based Accellion.

The CLOP gang seized on those flaws to deploy ransomware to a significant number of Accellion’s FTA customers, including U.S. grocery chain Krogers, the law firm Jones Day, security firm Qualys, and the Singaporean telecom giant Singtel.

Last year, CLOP adopted the practice of attempting to extract a second ransom demand from victims in exchange for a promise not to publish or sell any stolen data. Terabytes of documents and files stolen from victim organizations that have not paid a data ransom are now available for download from CLOP’s deep web site, including Stanford, UCLA and the University of Maryland.

CLOP’s victim shaming blog on the deep web.

It’s not clear how much this law enforcement operation by Ukrainian authorities will affect the overall operations of the CLOP group. Cybersecurity intelligence firm Intel 471 says the law enforcement raids in Ukraine were limited to the cash-out and money laundering side of CLOP’s business only.

“We do not believe that any core actors behind CLOP were apprehended, due to the fact that they are probably living in Russia,” Intel 471 concluded. “The overall impact to CLOP is expected to be minor although this law enforcement attention may result in the CLOP brand getting abandoned as we’ve recently seen with other ransomware groups like DarkSide and Babuk” [links added].

While CLOP as a moneymaking collective is fairly young organization, security experts say CLOP members hail from a group of Threat Actors (TA) known as “TA505,” which MITRE‘s ATT&CK database says is a financially motivated cybercrime group that has been active since at least 2014. “This group is known for frequently changing malware and driving global trends in criminal malware distribution,” MITRE assessed.

31 thoughts on “Ukrainian Police Nab Six Tied to CLOP Ransomware

  1. JamminJ

    Interesting to see South Korean law enforcement alongside Ukrainians during the raids.

    1. Jon Marcus

      Yeah, looks like CLOP hit both US and South Korean targets, so law enforcement from both countries worked alongside the Ukrainians.

      1. JamminJ

        “Bad boys, bad boys, whatcha gonna do?!”

    1. JamminJ

      Good find.

      Here is the original study (not a syndicated article techspot > zdnet)

      It is hard to pin down the details for this kind of thing. I would think that most of these “reinfections” are because of poor Incident Handling (Containment and Remediation).

      The companies that get hit with ransomware, already have some flaws in their security posture. And those who pay the ransom, are often lacking in Disaster Recovery processes, so they feel that restoring from backups is harder/costlier than just paying up.
      So it stands to reason, that many who pay the ransom, are “reinfected” “likely by the same attacker”… because they never fully eradicated the ransomware in the first place.

      Many don’t know this, but even well designed ransomware, may not decrypt with the key. If someone tries to restore from backup, and starts mucking up the filesystem… then yeah, corruption will happen. Once encrypted, many file backup/restore schemes don’t work the same. And victims wind up getting hosed. How many organizations know to create a bit for bit backup of the encrypted files AFTER infection, and BEFORE they try to restore?
      Many companies don’t run full restoration tests during a DR exercise… so they don’t realize that it’s common for data to be corrupt just by chance.

      Then there is poorly designed ransomware… which may emphasis speed of encryption over fidelity. Lots of things happen on a running system that can interfere and corrupt data when things are encrypting. And it’s not like restoring from encrypted backups on a RAID, where normal corruption can be fixed. Ransomware doesn’t, and cannot, take its time for redundancy.

      Paying a ransom is always a lottery. Not only are you betting on the goodwill and reputation of anonymous criminals, but also betting on your own organization’s technical capabilities during the response. Lots of places to mess up.

  2. ralph seifer

    My financial site says Danaher has a market cap of more than $170B. Very hard to believe that companies of this size don’t have belt-and-suspenders protection to this kind of incursion.

  3. n10cities

    Everyone talks about how wonderful crypto-currency is…blah, blah, blah……

    But what do we find when these perps are raided? Cold hard cash….. smh

    1. JamminJ

      Um… do you expect to see a physical cryptocurrency wallet being raided in the YouTube video?

      From The Hacker News:
      “The ransomware attacks amount to $500 million in monetary damages, the National Police said, noting that “law enforcement has managed to shut down the infrastructure from which the virus spreads and block channels for legalizing criminally acquired cryptocurrencies.”
      Law enforcement officers are said to have conducted 21 searches in the Ukrainian capital and Kyiv region, including the homes of the defendants and their cars, resulting in the seizure of computer equipment, cars, and 5 million hryvnias ($184,679).”

      You would see the cash and the cars… but they are only going to show you the outside of the computers, not the cryptocurrency that would be inside.

      This is how these criminals operate. Cryptocurrency is just an intermediary. Victims buy bitcoin to pay the ransom, and the criminals tumble/launder the cryptocurrency, removing that ‘traceability’ that people love to talk about. Then they use cash, because that’s the real currency that has global value beyond just intermediary.

      1. Fiat

        Cash has no global value beyond being an intermediary for an ascribed value either.
        You don’t have to attempt to explain everything to everyone. It’s not necessary.

        1. JamminJ

          An intermediary for another currency is different than an intermediary for something with value like goods and services.

  4. The Sunshine State

    It looks like these cyber-criminals use both Mac computers and IPhone’s

  5. Max

    “a cybercriminal gang said to have extorted more than half a billion dollars from victims”

    Why is this still legal? It seems bad that major U.S. corporations are voluntarily funding crime.

    1. JamminJ

      Nobody volunteers be a victim of crime.

      If the government forbids paying a ransom, then the government will be responsible for the loss.

      Same reason why they’ll never make it illegal to pay a kidnapping ransom, because if the kidnappers commit murder when they don’t get paid, the blood is on the hands of the government too.

      Instead of victim blaming and knee-jerk reactions such as “let’s just have a Prohibition on something”… Let’s think about real solutions to the problem.

      1. Max

        Nice troll…you had me going for a minute. But nobody is that stupid.

      2. Steve Friedl

        > Nobody volunteers be a victim of crime.

        Sure, people do this *all the time*, and it’s not blaming the victim to say that their behavior contributed to a situation’s development.

        If I walk into the 7-11 to grab something but leave my keys in the ignition, I don’t “deserve” to have my car stolen, and in no case does it mitigate the guilt of the thief, but it’s not blaming the victim to state that I could have made better choices.

        Nevertheless, I’m sympathetic to the notion that payments to criminals shouldn’t be allowed, but the alternative – in some cases – is for a business to simply go under if they cannot recover. That’s a pretty high penalty for running a sub-optimal IT shop.

        One way to help set incentives properly is for the IRS to deem ransomware payments not a valid business expense and therefor not deductible for tax purposes.

        This would change the *economics* of ransomeware some, and perhaps change budget priorities at the C level.

        1. BrianKrebs Post author

          Excellent perspective, Steve, thank you for your comment. I happen to agree with you.

          It’s amazing how tax issues can trip up money laundering activity. Obviously, there’s Capone’s organization. But also embezzlers. A few years back at a conference the guy speaking after me was a former investigator for the IRS, and for a while they had trouble getting companies to come forward with useful information when a former employee at some company was found to have stolen millions of dollars. The companies didn’t want to prosecute because they didn’t want the matter in the news. And the guys said that’s fine, just report them to the IRS for income tax evasion: They’ll likely spend the rest of their adult life in prison.

        2. JamminJ

          Thank you for the thoughtful and civil response, Steve.

          We actually agree here. But first, some clarification.
          When I said that nobody volunteers to be a victim of crime, I meant it in the strict sense of intending to be victimized. So insurance fraud would be the notable exception.
          While neglect does invite crime, it’s not the same as volunteering to be a victim.
          So while contribution to the crime should be taken into account, that is very different than some proposals of that seek to penalize the victim further, because they were “asking for it” by “dressing like that” “poor security posture”.

          Where we all seem to be on the same page, is that we agree that there should be consequences and penalties for negligence.
          Cybersecurity insurance is a growing field that I have serious qualms about. I think it does breed complacency and incompetence. Insurance can be useful, but should never incentivize poor security posture. Furthermore, it definitely should never pay out money to pay a ransom.

          Companies should indeed risk bankruptcy on a major breach. I just think that a law forbidding ransom payments, will simply compound the problem.
          Just like our history of prohibition has done countless times, it will simply move the market underground decreasing transparency and oversight.

          We absolutely need companies to come forward and report when they are breached. For various reasons, such as investigating nation state attacks, broader criminal investigations, informing other organizations about vulnerabilities and attack patterns, etc.
          Many companies will simply break the law quietly rather than overtly sacrifice their business.

    1. Eric

      True, but The Register missed this opportunity too. The are supposed to be the masters of this wordplay.

    2. dvv

      [in the Pulp Fiction waitress tone] “Clop (клоп)” means “bedbug”.

  6. Smallproxy

    Why they bragging about arresting small proxy criminals ?
    What about real organizers on wall street ?
    Too late instutuinal sellers all ready selling dirty bitcoins.
    Nobody dont touch the big guys they pretent to be legit and clean.

    1. SeymourB

      Come on man, if you’re going to practice whataboutism, at least put some effort into it.

  7. BTCMaster

    It looks they forgot its air tickets to El Salvador

  8. IDTS

    You’re advocating the status quo, they can go to authorities anytime.

    They are effectively committing conspiracy to launder money for fraudsters, agreeing to that. Duress is a mitigation but it’s still not something we need to entirely tolerate to get increased compliance on reporting. All carrot, no stick approach doesn’t work as the status quo demonstrates. If there is a pointed risk to their business / reputation by paying ransoms secretly also, as instead of working with authorities to possibly defeat the attack outright if possible and pay as a last resort (as authorities can allow individually, maybe even intervene or trace) that gives companies incentive to report early and get helped out. Unless they’re a shady company already with skeletons in the books this is a no brainer risk avoidance. They may even get the money back. All the tactic of hands-off acceptance is doing is encouraging more attacks with no guaranteed benefit even in the single incident. That can’t always be avoided but it’s no strategy to just allow this to go on like it is. Couldn’t disagree with you more.

    1. IDTS

      Above was supposed to be nested in a reply, somehow it didn’t go there.

    2. JamminJ

      I don’t think that’s the reality of the situation at all. It’s not like there’s no requirement to report data breach or intent to pay a ransom. Companies still have to report to authorities. Not just because private user data may have been breached, which would bring in laws such as gdpr and ccra. But also because making any type of payment in excess of certain amounts would absolutely need to be accounted for.

      However, making it a requirement for the government to get involved, and grant permissions before paying a ransom, is not going to work. These companies are still going to pay, but now they are just going to hide even more of their dealings.
      We are taking it for granted that these companies are in the news, cuz Allah that prohibits Ransom payments is going to only SEEM like it’s being effective, but really it’s just going underground.

      “effectively committing conspiracy to launder money for fraudsters, agreeing to that”
      That’s not at all how any of this works.
      Words like conspiracy and launder and fraudster, have a specific meanings in the criminal justice system. And it’s stretching the truth to even compare.

      Always bring it back to comparing to kidnapping. Because that’s the typical case of Ransom. Victims are told not to go to the police, but if they do at least report the crime, it’s not illegal to be a victim of extortion. And it does not make them complicit.

      I understand how people disagree, and I see your point. Lots of people are more agreeable to criminalizing Ransom payments these days. But mainly because ransomware has become such a scourge and the victim companies are corporations difficult to sympathize with.

      But I still challenge anyone to come up with real world case law, examples of extortion victims being charged with a crime or even civil penalties.

      1. JamminJ

        Speech to text fail…
        “cuz Alla” should be “any law”

Comments are closed.