Six people suspected of participation in the cybercriminal group Clop have been identified, the Ukrainian authorities announced in a press release on Thursday (June 16), without specifying the number of arrests carried out in connection with this affair. Clop, also known as Cl0p, is the name of ransomware, malicious software deployed by cybercriminals on the computer networks of companies and institutions, and which paralyzes infected computers by encrypting files on the machines. This software then displays a ransom note to its victims, who are offered to obtain decryption software for sums of up to tens of millions of dollars.
Like other ransomware crime groups, Clop exfiltrates stolen data and gradually releases it to the dark web in order to put pressure on targeted businesses and organizations. Ukrainian police say today they managed to shut down the infrastructure used by hackers to “Spread the virus”. The Clop site, used to publish the data of his victims, was however still online early Wednesday afternoon.
At the origin of the cyberattack against the Rouen University Hospital
Appeared according to the National Information Systems Security Agency (Anssi) in February 2019, Clop is a variant of a previous ransomware named Cryptomix or CryptXXX, spotted in 2016. Clop’s methods have evolved significantly over time. Initially, the group did not practice double extortion, a method of stealing and publishing victim data. But Clop eventually converted to this aggressive practice, like many other ransomware operators. Another sign of development: in recent months, the operators of Clop did not hesitate to directly contact employees of the victimized companies in order to encourage them to put pressure on their leaders to pay the ransom.
Several experts suspect Clop of being piloted by a well-known cybercriminal group, named TA505, and which appeared, according to the French authorities, in 2014. According to Anssi, technical links have in particular been discovered between the Clop ransomware and at least two tools used by TA505, named Amadey and FlawedAmmyy.
Ukrainian cyberpolice estimates the damage caused by the group at more than 412 million euros
It was the TA505 group which, at the end of 2019 and with the help of Clop ransomware, attacked the Rouen University Hospital, paralyzing its computer system for several hours, in what was then the first major attack against a large French hospital. The Ukrainian cyberpolice estimates the damage caused by the group at more than 500 million dollars (412 million euros). However, it does not seem that it was the investigation opened in France that led to these identifications in Ukraine, the cybercrime department of the Ukrainian national police referring to a joint international operation with the United States and South Korea.
More than 20 searches carried out
The Ukrainian cyberpolice does not specify whether the individuals it has identified, six in number, make up the whole of Clop. The investigators carried out twenty-one searches of the homes of suspects, in their vehicles and claim to have dismantled the circuits for laundering the cryptocurrency withdrawn from their victims. The equivalent of just over 150,000 euros was also seized, as well as computer equipment.
The six individuals identified are accused by the Ukrainian authorities of having compromised four South Korean companies in 2019, but the victims of this group number in the dozens, including the cybersecurity heavyweight Qualys, the oil giant Shell and the university. from California.
In recent months, the authorities in several countries have made major advances in the fight against this type of cybercriminals, hitherto known for their ability to evade judicial inquiries.
In February, several members of the Egregor gang, also among the most important in the cybercrime scene, were arrested in Ukraine. Shortly before, a Canadian suspected of having spread NetWalker ransomware had been arrested in Quebec. A few weeks earlier, authorities in several countries had successfully taken down the Emotet botnet, which is frequently used in ransomware attacks.