Operation Cyclone blows up Operation Clop ransomware


A thirty-month international law enforcement operation, codenamed “Operation Cyclone,” targeted the Clop ransomware gang, leading to previously reported arrests of six members in Ukraine.

In June, BleepComputer reported that Ukrainian law enforcement officers arrested members of the Clop ransomware gang involved in laundering ransom payments.

This Friday, new information emerged about how the operation was conducted and the law enforcement agencies involved.

Interpol’s Cyclone operation

The transcontinental operation called “Operation Cyclone” was coordinated by INTERPOL’s Cyber ​​Fusion Center in Singapore, with the assistance of the Ukrainian and US police authorities.

This operation targeted Clop for his numerous attacks on Korean companies and US academic institutions, in which threat actors encrypted devices and extorted organizations to pay a ransom or leak their stolen data.

In December 2020, Clop conducted a massive ransomware attack against E-Land Retail, a South Korean conglomerate and retail giant, which caused the temporary closure of 23 out of 50 stores of NC department stores and the NewCore Outlet. Them after claimed to have stolen 2,000,000 credit cards from the company that uses point-of-sale malware.

More recently, Clop used a vulnerability in the Accellion secure file transfer gateway to steal confidential and private files from companies and universities. When $ 10 million + ransom demands were not paid, the threat actors publicly released students’ personal information from numerous universities and colleges.

Clop ransom note used in Accellion extortion requests
Clop ransom note used in Accellion extortion requests

US educational institutions targeted in Accellion’s attacks included the University of Colorado, University of Miami, Stanford Medicine, University of Maryland Baltimore (UMB) and University of California.

Through intelligence-sharing between law enforcement and private partners, Operation Cyclone resulted in the arrest of six suspects in Ukraine, the search of more than 20 homes, businesses and vehicles, and the seizure of computers and $ 185,000 in cash. .

The transaction was also assisted by private partners, including Trend Micro, CDI, Kaspersky Lab, Palo Alto Networks, Fortinet and Group-IB.

“Despite the spiral of global ransomware attacks, this police-private sector coalition saw one of the first arrests of online criminal gangs by global law enforcement, sending a powerful message to ransomware criminals, who don’t care where they hide in. cyberspace, we will pursue them relentlessly, “said Craig Jones, INTERPOL’s Director of Cybercrime in announcement.

US cybersecurity firm Intel 471 previously told Bleeping Computer that while the arrested members are linked to the Clop ransomware gang, they were primarily involved in money laundering for the criminal organization. The intelligence firm further said that the main members of Operation Clop are likely out of danger in Russia.

If convicted, the six suspected members of the clop face up to eight years in prison.

A video released by the Ukrainian SSU shows investigators conducting raids on the suspect’s property and seizing evidence.

Target ransomware operations

As ransomware attacks against critical infrastructure, healthcare, businesses and educational institutions escalate, law enforcement has exerted significant pressure on criminal operations this year.

This law enforcement activity has led to numerous arrests and infrastructure seizures, including:

Law enforcement operations have also led ransomware gangs to shut down their operations as they feel law enforcement is tightening their activities.

This includes the recent closure of the Revil Other BlackMatter operations, as well as Avaddon ransomware stopped in June.

While ransomware gangs can disrupt their operations, that doesn’t mean law enforcement has given up on bringing them to justice.

This week, the US State Department announced a $ 10 million reward to identify or locate key leaders in the DarkSide / BlackMatter ransomware operation.

Thanks to Douglas Mun for the tip!


Please enter your comment!
Please enter your name here