Clop ransomware continues to work even after a series of arrests

Clop continues to work

The media reported that Clop ransomware continues to work: its operators have again begun posting data stolen from victims on their website.

The fact is that last week, as a result of a joint operation carried out with the assistance and coordination of Interpol by the law enforcement agencies of Ukraine, South Korea and the United States, six suspects were detained, somehow connected with Clop, but, obviously, this did not affect the “work” of the group.

Ukrainian police reported that they conducted 21 searches in the capital of the country and in the Kiev region, in the homes of the defendants and in their cars. As a result, were seized: computer equipment, cars (Tesla, Mercedes and Lexus) and about 5,000,000 hrivnias ($182,900) in cash, which, according to the authorities, were received from the victims as ransoms. The suspects’ property was seized.

At the same time, according to the information security company Intel 471, the Ukrainian authorities arrested people who were only involved in money laundering for Clop operators, while the main members of the hack group are most likely hide in Russia.

The raids of law enforcement agencies in Ukraine, connected with the CLOP ransomware program, are connected only with the withdrawal/laundering of money for the CLOP“ business ”. We do not believe that any of the main participants in CLOP have been detained, and we believe that they probably live in Russia. We expect that the impact [of this operation on] CLOP will be negligible, although law enforcement scrutiny could lead [hackers] to ditch the CLOP brand, as we recently saw with other ransomware groups such as DarkSide and Babuk.the experts said.

Although after the arrests Clop’s “work” was suspended for about a week, now Bleeping Computer reports that the ransomware has re-activated and published data on two new victims on its website on the darknet.

The researchers did not disclose the names of the affected companies, but report that the personal details of the employees were released, including documents confirming employment (for loan applications), as well as documents on withholding of wages.

It should also be said that today the Binance cryptocurrency exchange announced that it took part in a recent law enforcement operation and helped identify criminals.

Exchange representatives said that they tracked the FANCYCAT group, which is engaged in various criminal activities, including the management of a “high-risk” cryptocurrency exchange. This group laundered money for ransomware such as Clop and Petya and is generally responsible for more than $500,000,000 in damages related to ransomware, as well as laundering millions of dollars associated with other types of cybercrimes.

Clop continues to work

Binance claims to have discovered FANCYCAT together with the blockchain analyst firms TRM Labs and Crystal (BitFury), and then provided all the information it gathered to law enforcement, leading to the group’s arrest earlier this month.

Let me remind you that I also wrote that France is looking for LockerGoga ransomware developers in Ukraine.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *