The Clop ransomware threat group released the details of new victims on their leak site after taking a week off. Law enforcement in Ukraine arrested six members of the threat group with the help of the Korean National Police Agency and the USA, which was hoped by many to signal a disruption of the threat. The Ukrainian Police described the arrests as a significant blow to the group’s operations stating “together, law enforcement has managed to shut down the infrastructure from which the virus spreads and block channels for legalizing criminally acquired cryptocurrencies.” It only took about a week for these arrests to stop phasing the group as they posted the data of at least two new victims on their website. Security firm Intel 471 stated when the arrests were made that most of those arrests were part of the money laundering side of the group and that the core actors that develop and deploy the ransomware were not part of the arrests.
Analyst Notes
Though arresting many of the money launderers for the group is a great way to discourage others from doing it, it is unlikely that the arrests have phased the operations for Clop ransomware. Clop works to gain a foothold into a network and slowly move through and steal data. Once the group believes they have all the data they want they then deploy the ransomware. In other cases, Clop stole data from Accellion FTA servers and extorted companies in return for a promise not to release the data, but did not lock any computers or encrypt files. Clop has been responsible for some large-scale attacks and companies should have the proper defenses in place to defends against ransomware in general. This includes monitoring such as Binary Defenses Managed Detection and Response that looks for attacks being carried out through behavior based detection and works to stop them through 24/7 Security Operations and response.
More can be read here: https://www.bleepingcomputer.com/news/security/clop-ransomware-is-back-in-business-after-recent-arrests/