Yesterday’s noisy raid of the Clop ransomware gang in Ukraine was a major win according to most experts throughout the cybersecurity community, who said the moment marks a shift in the international war on ransomware.
The raid, according to Ukrainian reports translated by eSpire analysts, included the arrests of six people in Kiev, the seizure of $185,000 in cash, a Tesla, a Mercedes and their computer equipment. Those arrested face up to eight years in prison, the records said.
Besides losing the luxury rides and cash, experts said this raid is going to make the ransomware business harder overall by taking resources and recruiting power away from groups still operating.
Clop Raid: International Cooperation Against Ransomware
Austin Merritt, a Digital Shadows analyst, said the demonstration of international cooperation to find and hold ransomware groups accountable sends an important signal to other ransomware groups.
“Clop has been responsible for high-profile ransomware attacks in South Korea, so this bust reflects how proactive, joint international operations can bring cybercriminals to justice,” Merritt told Threatpost. “Since other actions like indictments and sanctions can only do so much, in-person raids are an effective tool in intimidating cybercriminals, perhaps more than anything else. ”
Clop rose to infamy in October, when it became the first to demand a ransom as high as $20 million after it breached German-based Software AG. By 2021, Clop has emerged as an expert at exploiting the Accellion supply-chain bug, using the file transfer application’s weakness to attack its customers, including RaceTrac Petroleum based in Atlanta, Dutch oil company Royal Shell, security company Qualys, law firm Jones Day, Stanford and the University of California system, and many others throughout the world. It’s not clear whether Clop was behind the initial Accellion breach, eSpire noted, or whether it was given the access by other actors.
In total, eSpire figures Clop was responsible for about $500 million in damages.
Clop Raid Sends Powerful Geopolitical Message
Many of the most dangerous cybercriminal actors intentionally set up operations in countries where law enforcement can’t reach them, Peter Klimek, director of technology at Imperva, told Threatpost.
“The vast majority of ransomware groups are living in regions where we don’t have extradition treaties in place,” Klimek said. “The governments tolerate them. The goal of the U.S. and various G7 nations is figuring out to what degree they can turn up the pressure until those governments no longer tolerate them anymore.”
This week’s Clop raid coincided with the much-anticipated summit between U.S. President Biden and Russian President Putin, during which officials stressed cybersecurity.
Hitesh Sheth, president and CEO at Vectra, specifically praised Ukrainian efforts to push back against Clop in his reaction to the raid.
“This is a bold move, especially given Ukraine’s tensions with Russia,” Sheth said. “It would be better to see comprehensive global law-enforcement efforts take hold. Cybersecurity has displaced nuclear arms as the premier superpower security issue of our era. We can hope the Biden-Putin summit leads to cooperation and structural progress in this area.”
Adam Flatley, director of threat intelligence with a security firm called simply “[redacted],” told Threatpost that raids like this are precisely what was prescribed by the Ransomware Task Force from the Institute for Security and Technology.
“This is really positive news and falls in line with some of the key recommendations made by the Ransomware Task Force, namely raising the priority of taking down ransomware actors and working in coordination with partner nations,” Flatley explained to Threatpost. “Increased law-enforcement action is going to be key to the success of stemming the wave of ransomware operations.”
Clop Raid Makes Ransomware Recruiting Harder
Recruiting talent is going to get harder because of these raids, Erich Kron from KnowBe4 pointed out to Threatpost, but he cautioned that one raid isn’t going to kill the whole dark industry.
“While these takedowns of cybercriminals will not put a stop to issues with ransomware and other cybercrime for good, continued actions like these will dissuade some from taking part in them,” Kron said. “In the modern world of cybercrime, distribution methods such as ransomware-as-a-service (RaaS), where the ransomware developers recruit others to do the actual attacks and split profits, may have a harder time recruiting people to do their dirty work.”
He added that cutting off supplies of talent and expertise to these groups is matter of making the reward no longer worth the risk.
“This is sending a strong message that they will not be allowed to operate with impunity anymore,” Kron said. “As the threat of ransomware and cybercrime continues to grow in the international political theater, as made evident by the recent NATO comments on the issue, these cybercriminal gangs will be under more pressure, and many may decide that the risk is too great to continue.”
Clop Raid Removes Ransomware Resources
Oliver Tavakoli, CTO at Vectra, pointed out these raids are also impacting these group’s bottom line. Which drains their power to proliferate and pull off bigger attacks.
“Law-enforcement actions such as these are one of the key levers which can eventually shrink the ransomware ecosystem.,” Tavakoli told Threapost. “When the likelihood of repercussions rise, less people will be drawn into the business of ransomware.”
However, Tavakoli added the road to eradicating the threat of ransomware will be long.
“It will require concerted and prolonged pushes to bend this curve in a positive direction, but these efforts represent a credible start,” he said.
Flatley also said that there must be other tools deployed against ransomware groups like Clop, besides law enforcement.
“It’s just one piece in what needs to be a larger, intelligence-driven, coordinated campaign,” Flatley added. “Ransomware groups that are being sheltered by the countries where they operate from will need to be disrupted and dismantled with additional tools of national and international power.”
Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free!