In June, Ukrainian police arrested six individuals in a total of 20 raids across Kyiv and other cities, confiscating computers, equipment, automobiles, and $185,000 in cash.
In the raid, now known as Operation Cyclone, the Ukrainian National Police collaborated with South Korean law enforcement.
Interpol’s Cyber Fusion Centre oversaw the operation in Singapore, according to Interpol, an intergovernmental organisation focused on supporting coordinated activity between police agencies throughout the world.
Threat intelligence was shared through the Interpol Gateway project by Trend Micro, CDI, Kaspersky Lab, Palo Alto Networks, Fortinet, and Group-IB, as well as police from Ukraine, South Korea, and the United States.
S2W LAB and KFSI, both from South Korea, contributed Dark Web activity analysis.
Clop’s alleged involvement in a ransomware campaign against E-Land piqued South Korea’s attention in the arrests. Point-of-sale (PoS) malware was implanted on the Korean retail giant’s networks for around a year, according to the ransomware’s handlers, resulting in the loss of millions of credit cards.
Clop is one of numerous ransomware gangs that operate on the Dark Web through leak sites. The groups will claim responsibility for a ransomware attack and will use these platforms for two purposes: to facilitate communication with victims in order to negotiate a blackmail payment in exchange for a decryption key, and to conduct additional extortion by threatening to leak stolen, sensitive data on the portal if they do not pay up.
Clop has previously claimed high-profile victims, including The Reserve Bank of New Zealand, Washington State Auditor, Qualys, and Stanford Medical School, by exploiting zero-day vulnerabilities in the Accellion File Transfer Appliance (FTA) software, as well as other attack vectors.
Clop is suspected of laundering at least $500 million obtained from ransomware activities, and the six suspects have been charged with money laundering. The suspects face up to eight years in prison if found guilty as members of the renowned organisation.
It should be emphasised, however, that the six arrests in Ukraine have had no effect on the Clop ransomware group’s actions or its leak site. The ransomware’s principal operators are thought to be based in Russia.