Ukraine Cyberpolice exposes hacker group for spreading encryption virus… CLOP Gang

Inflicting nearly half a billion dollars in damage to foreign companies…

Ukrainian Authorities arrest six members of the notorious CLOP-gang…

The hacker group was exposed by officers of the Cyberpolice Department together with the Main Investigation Department of the National Police. The perpetrators were exposed as part of an international operation to promote and coordinate Interpol (IGCI), and together with law enforcement officials from the Republic of Korea and the United States.


In 2019 - McAfee Described CLOP-Ransomware as:

The main goal of Clop is to encrypt all files in an enterprise and request a payment to receive a decryptor to decrypt all the affected files. To achieve this, we observed some new techniques being used by the author that we have not seen before. Clearly over the last few months we have seen more innovative techniques appearing in ransomware.

The malware’s first action is to compare the keyboard of the victim computer using the function “GetKeyboardLayout”  against the hardcoded values.

This function returns the user keyboard input layout at the moment the malware calls the function.

For a more in-depth discuss of CLOP - I recommend you read Palo Alto Networks, Inc CLOP-threat assessment too. It’s an exhaustive postmortem report - which reads in part:

Clop went from being ransomware delivered through malicious spam to being used in targeted campaigns against high-profile companies. In recent events, Clop has been linked to threat actors who have been exploiting Accellion File Transfer Appliance (FTA) vulnerabilities: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103 and CVE-2021-27104.

The exploitation of these vulnerabilities led to the compromise of high-profile companies starting in February. Additionally, there has been evidence of an affiliate using a webshell named DEWMODE that was being used to steal data from Accellion FTA devices. Not long after compromise, victims affected by DEWMODE began receiving emails from threat actors announcing the breach with an unique URL per victim to start negotiation efforts. If ignored, the threat actors would reach out again with an ultimatum of releasing the data to “Cl0p^_-Leaks”.

More information on ransomware and victimology can be found in the 2021 Unit 42 Ransomware Threat Report. But it’s this particular section of the report that —well here you read it:

Clop didn't have a leak site when it was first sighted back in February 2019. It was in March 2020 when the threat actors decided to launch a leak site titled, “Cl0p^_- Leaks” (Figure 2). This website is a Tor-based blog site, where victims who don’t pay the ransom or ignore threats have their confidential data publicly exposed. The threat actors behind Clop also leverage a variety of extortion techniques, such as targeting workstations of top executives, “doxxing” employees and advertising their breaches to reporters.

CLOP down and Six Defendants arrested

“It was established that six defendants carried out attacks of malicious software such as 'ransomware' on the servers of American and [South] Korean companies," alleged Ukraine's national police force in a statement published late yesterday

…Cyberpolice exposes hacker group for spreading encryption virus and inflicting half a billion dollars in damage to foreign companies …

Thus, in 2019, four Korean companies attacked the Clop encryption virus, as a result of which 810 internal servers and personal computers of employees were blocked. Hackers sent e-mails with a malicious file to the mailboxes of company employees. After opening the infected file, the program sequentially downloaded additional programs from the distribution server and completely infected the victims' computers with a remote managed program "Flawed Ammyy RAT".

Using remote access, the suspects activated malicious software "Cobalt Strike", which provided information about the vulnerabilities of infected servers for further capture. The attackers received a "ransom" in cryptocurrency for decrypting the information.

 © Офіційний сайт Національної поліції: 

(hit the translate button, trust me on that) https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/

I previously walked you through Emotet, Cobalt Strike and how in January 2021 the Ukraine Police we’re rolling up a bunch of cyber criminal gangs - yesterday’s roll up —I feel comfortable saying that Operation was a continuation of the January 2021 Operation.

Other Notable CLOP Victims

• International law firm Jones Day were the victims of a ransomware attack carried out by the Clop gang. The firm initially stated that “its network had not been compromised” and that the theft of data involved a third party file-sharing company that it used to store files. The Clop gang was unamused bu Jones Day’s response and in turn “claimed that they had obtained 100 gigabytes of files from servers belonging to Jones Day. Thereafter the Clop Gang began publishing the (it purportedly) exfiltrated data as proof of their successful attack. See Bloomberg Law Article

• US bank and mortgage lender Flagstar disclosed a data breach following the Accellion cyberattack at the hands of the Clop ransomware gang earlier in the year. See Flagstar’s statement on Accellion Incident Information CenteRoyal Dutch Shell victim of the Clop ransomware gang. The gang once again stated they had successfully exfiltrated sensitive data from a Accellion file transfer service. And later leaked the stolen data online to prompt them to pay a ransom. Some of the leaked data included employee visa and passport information. See Shell’s March 2021 statement —where the company appeared to downplay the cyber breach.

• University of Maryland. Here again the Clop ransomware gang was behind the attack. Purporting to exfiltrate sensitive information including photos and names of individuals, home addresses, Social Security numbers, immigration status, dates of birth, and passport number leaked online. See DataBreaches.net article on the University of Maryland’s CLOP attack

• University of California, University of Colorado, and University of Miami we’re all targeted and attacked by the Clop gang. And keeping to the CLOP gang’s modus operandi -they soon released sensitive and personal information leaked online following the attack. See BleepingComputer’s exhaustive reporting from earlier this year.

And finally I highly recommend you read KrebsOnSecurity’s Article -if you like the nitty-gritty technical details then you’ll understand why I am suggesting you read yesterday’s article - place close attention to the 3rd to last paragraph - which reads in part:

It’s not clear how much this law enforcement operation by Ukrainian authorities will affect the overall operations of the CLOP group. Cybersecurity intelligence firm Intel 471 says the law enforcement raids in Ukraine were limited to the cash-out and money laundering side of CLOP’s business only.

And lastly if you’re inclined maybe reread the June 7th DOJ & DarkSide ClawBack

Attachment(s): Signed Memorandum Ransomware and Digital Extortion and RADE Task Force Fact Sheet

…for now I’m working on a far more exhaustive article concerning Koshkin et al which I briefly wrote about yesterday but the article I’m working on required me to reach back to 2009 and numerous district courts. I expect to finish up the edits after COB and anticipate publishing the article tomorrow because there was a June 14th docket entry that caught my attention… be patient —I think it will be worthwhile.

-Filey

Comments

[K Dinkins]

Your work is fabulous, filey!! I’m always excited when I get a notification that another letter has posted. Thank you!!