The notorious Clop ransomware operation appears to be back in business, just days after Ukrainian police arrested six alleged members of the gang.
Last week, a law enforcement operation conducted by the National Police of Ukraine, along with officials from South Korea and the U.S., saw the arrest of multiple suspects believed to be linked to the Clop ransomware gang. It’s believed to be the first time a national law enforcement group carried out mass arrests involving a ransomware group.
The Ukrainian police also claimed at the time to have successfully shut down the server infrastructure used by the gang. But it doesn’t seem the operation was completely successful.
While the Clop operation fell silent following the arrests, the gang has this week published a fresh batch of confidential data which it claims to have stolen from two new victims — a farm equipment retailer and an architects office — on its dark web site, seen by TechCrunch.
If true — and neither of the alleged victims responded to TechCrunch’s request for comment — this would suggest that the ransomware gang remains active, despite last week’s first-of-its-kind law enforcement sting. This is likely because the suspects cuffed included only those who played a lesser role in the Clop operation. Cybersecurity firm Intel 471 said it believes that last week’s arrests targeted the money-laundering portion of the operation, with core members of the gang not apprehended.
“We do not believe that any core actors behind Clop were apprehended,” the security company said. “The overall impact to Clop is expected to be minor, although this law enforcement attention may result in the Clop brand getting abandoned as we’ve recently seen with other ransomware groups like DarkSide and Babuk.”
Clop appears to still be in business, but it remains to be seen how long the group will remain operational. Not only have law enforcement operations dealt numerous blows to ransomware groups this year, such as U.S. investigators’ recent recovery of millions in cryptocurrency they claim was paid in ransom to the Colonial Pipeline hackers, but Russia has this week confirmed it will begin to work with the U.S. to locate cybercriminals.
Russia has until now taken a hands-off approach when it comes to dealing with hackers. Reuters reported Wednesday that the head of the country’s Federal Security Service (FSB) Alexander Bortnikov was quoted as saying it will co-operate with U.S. authorities on future cybersecurity operations.
Intel 471 previously said that it does not believe the key members of Clop were arrested in last week’s operation because “they are probably living in Russia,” which has long provided safe harbor to cybercriminals by refusing to take action.
The Clop ransomware gang was first spotted in early 2019, and the group has since been linked to a number of high-profile attacks. These include the breach of U.S. pharmaceutical giant ExecuPharm in April 2020 and the recent data breach at Accellion, which saw hackers exploit flaws in the IT provider’s software to steal data from dozens of its customers including the University of Colorado and cloud security vendor Qualys.