The Ukrainian Cyberpolice Department recently detained six hackers for the use of the ransomware program known as Clop.
The group used Clop to encrypt data on the servers of multiple American companies and universities, as well as some Korean companies.
To catch these cybercriminals, Ukrainian officers conducted 21 searches in the Kyiv region, seizing computer equipment, cars, and roughly 5 million hryvnias (approximately $184,000).
Hackers use Clop to target American and Korean organizations
According to Ukrainian Cyberpolice, four Korean companies were attacked with the Clop virus in 2019. This resulted in 810 internal servers and personal computers of employees becoming encrypted.
Earlier this year, the same hackers targeted Stanford University Medical School, the University of California, and the University of Maryland, encrypting financial reports and personal information of employees.
The hackers would send emails with malicious files to employees and, once opened, they completely infected the computer with a remote managed program called Flawed Ammyy RAT.
Here is how the crimes of the hackers are described:
"Using remote access, the suspects activated malicious software 'Cobalt Strike,' which provided information about the vulnerabilities of infected servers for further capture. For decrypting the information, the attackers received a 'ransom' in cryptocurrency.
Unlike common ransomware attacks, which encrypt a large number of uninstalled PCs and servers, the Advanced Persistent Threat (APT) attack is aimed at a specific victim's computer network and infects the entire system with a ransomware program.
The total damage reaches $500 million.
Together, law enforcement has managed to shut down the infrastructure from which the virus spreads and block channels for legalizing criminally acquired cryptocurrencies."
The hackers are currently facing up to eight years in prison as authorities continue to investigate the situation.
Clop used in other ransomware attacks
Other than the attacks mentioned by the Ukrainian Cyberpolice, Clop has been used in a number of other ransomware attacks.
In April 2020, Clop was used to attack the large U.S. pharmaceutical company ExecuPharm, resulting in personal information such as Social Security numbers, financial information, passports, and more being posted to the Dark Web.
South Korean retail conglomerate E-Land was hit with an attack using Clop that forced the company to close nearly half of its stores.
Clop has also been linked to the Accellion data breach that involved the company's File Transfer Appliance software, which led hackers to steal data from many of Accellion's customers.
Tech Crunch reports that the Dark Web portal Clop uses to share stolen data is still running, but it hasn't been updated in weeks.
Typically, law enforcement replaces a cybercrime website with an image of their own logo to indicate a successful takedown, so the fact this has not happened yet could mean the hackers are still active.
