A week after Ukrainian police arrested criminals associated with the notorious Cl0p ransomware gang, Cl0p has published a new batch of what is said to be confidential data stolen in a hack of a previously unknown victim. Ars will not identify a potentially vulnerable company until it verifies that the data and hack are authentic.
If true, the dump shows that Cl0p is intact and able to carry out his reckless activities despite the arrests. That suggests the suspects don’t include key leaders but rather affiliates or others who play a lesser role in the operations.
The data is said to be employee records, including proof of employment for loan applications and documents related to employees whose wages have been paid. I cannot confirm that the information is genuine and that it was, in fact, taken during a hack on the company, although web searches show that the names listed in the documents match the names of the people it works for the company.
Company representatives did not respond to a phone call seeking comment. Cl0p members do not respond to emails sent to addresses listed on the club’s website on the dark web.
For nearly a decade, ransomware has grown from a valued indifference into a permanent threat that can shut down hospitals and disrupt gasoline and meat supplies. Under pressure from the Biden administration, the U.S. Department of Justice is taking federal ransomware cases seriously. Biden also raised concerns with Russian President Vladimir Putin about the spread of ransomware attacks from Russian-speaking groups, such as Cl0p.
Last week’s arrest by Ukrainian police of six people linked to Cl0p was seen as coercive in some circles because it marked the first time the country’s law enforcement agency had made a mass arrest with a ransomware group. But as Wired reporter Lily Hay Newman observeThe struggle is unlikely to make the ransomware epidemic so that Russia itself follows suit.
The latest leak confirms the limits of the current ransomware response. Much of the flimsiness stems from the innovation of the ransomware economy, which depends on two important but independent factors. The first is the party that maintains the ransomware itself and often some of the Internet infrastructure it runs on.
The second category is a group of hackers who rent ransomware and share any revenue with the ransomware handlers. Often, one party has little or no knowledge of the other, so the shutdown of one does not affect the other.
The fight continues
Compounding the problem of law enforcement’s eyes, many groups live in Russia or other Eastern European countries that do not have extradition agreements with the US.
Cl0p was first spotted in early 2019. Recent targets have included oil company Shell, international law firm Jones Day, US bank Flagstar, and several US universities including Stanford and the University of California. Often, the associated hacker exploits vulnerabilities in the Accellion File Transfer Tool. Cl0p has also been noted to run widespread malicious email campaigns identify potential company victims. In many cases, campaigns use data stolen from existing victims to trick potential customers, partners, or vendors into thinking that malicious email is bad.
Cl0p’s ability to post leaked documents following last week’s arrest suggests that the suspects are not core members and instead either affiliates or, as Intel 471 told defense reporter Brian Krebs, “limited to the cash-out and cash approval group of CLOP business only.” And that means the fight against this group and the Internet epidemic of which it is a part will continue for the foreseeable future.