Ukraine identifies Clop ransomware operators; sources say they are not hackers

Ukrainian law enforcement authorities сообщили on the identification of six members of a hacker group that stood behind the Clop ransomware, which attacked organizations in South Korea and the United States.

According to Ukraine’s cyberpolice, in 2019 the Clop operators hacked four South Korean companies, compromising internal servers and employees’ devices. The hackers distributed the malware via emails with malicious attachments.

In 2021 the group attacked the Stanford University School of Medicine, as well as the University of Maryland and the University of California, gaining access to employees’ personal data and financial records.

For decrypting the data, the attackers demanded a ransom in cryptocurrency; if not paid, they threatened to disclose confidential data. The total damage from the attacks was estimated at $500 million.

Interpol and law enforcement agencies from the United States and South Korea also participated in the operation.

The cyberpolice said they had disrupted the hackers’ infrastructure and blocked channels used to launder cryptocurrency obtained illegally.

The agency said law enforcement conducted 21 searches in Kyiv and the region, seizing computers, vehicles, and about 5 million hryvnias in cash (over $184,000).

In a statement from the Office of the Prosecutor General of Ukraine, it was stated that 24 searches were conducted and about 1.5 million hryvnias (over $55,000), 3,000 euros and $58,000 were seized.

A ForkLog source who wished to remain anonymous said the searches were conducted at OTC traders through which the ransomware operators moved bitcoins. They themselves, according to our source, are not hackers.

It is believed that the personal data of the individuals involved in the case was handed over to law enforcement by the Binance exchange, where they conducted their trades.

The cyberpolice release does not explicitly state the arrest of these individuals — only the opening of a criminal case and seizure of assets. The source confirms that the suspects are not under arrest and are at large.

Intel 471 likewise arrived at similar conclusions — its specialists confirmed that the raids in Ukraine pertain to the laundering of Clop’s funds, and its principal members are more likely to be in Russia.

«The consequences for Clop will be minor. They may simply drop the current name due to the close attention of law enforcement,» Intel471 quotes the specialized site krebsonsecurity.com.

Krebsonsecurity.com notes that the Clop members split from the TA505 group, which has operated since 2014 and had financial motives.

In ForkLog’s comment, cyberpolice representatives said that the publication on their site contains information that they “may cover”:

«We cannot comment on the rest to avoid interfering with the investigation».

We will continue to monitor the development of the story.

Late last year, Clop attacked the leading German producer of food flavorings, Symrise. The hackers stole 500 GB of data and encrypted 1,000 devices at the company.

Follow ForkLog’s Bitcoin news on our Telegram — cryptocurrency news, prices and analytics.