A week after Ukrainian police arrested criminals affiliated with the infamous Cl0p ransomware gang, Cl0p has released a new batch of what is supposedly confidential data stolen in a hack by a previously unknown victim. Ars will not identify the potential victim until confirmation that the data and the hack are genuine.
If real, the dump shows that Cl0p remains intact and is able to perform his nefarious actions despite the arrests. That suggests the suspects are not the core leaders, but rather affiliates or others who play lesser roles in the operations.
The data claims to be employee records, including verification of employment for loan applications and documents related to employees whose wages have been garnished. I could not confirm that the information is genuine and that it was in fact taken during a hack at the company, although web searches revealed that the names in the documents matched names of people who work for the company.
Company representatives did not respond to a call for comment. Cl0p members did not respond to emails sent to addresses listed on the group’s dark web site.
An existential threat
For nearly a decade, ransomware has grown from a costly inconvenience to an existential threat that can close hospitals and disrupt gas and meat supplies. Under pressure from the Biden administration, the US Department of Justice is prioritizing federal ransomware cases. Biden also raised concerns with Russian President Vladimir Putin about the spread of ransomware attacks by Russian-speaking groups such as Cl0p.
Last week’s arrest by Ukrainian police of six people affiliated with Cl0p was seen in some circles as a coup as it marked the first time a national law enforcement group made mass arrests involving a ransomware group. But as Wired reporter Lily Hay Newman pointed out, the crackdown is unlikely to alleviate the ransomware epidemic until Russia itself follows suit.
The new leak confirms the limits of the current ransomware response. Much of the weakness stems from the decentralization of the ransomware economy, which rests on two critical but independent entities. The first is the group that maintains the ransomware itself and often part of the internet infrastructure on which it runs.
The second entity is the team of hackers that leases the ransomware and shares any revenue with the ransomware administrators. Often one group has little or no knowledge of the other, so shutting down one has no effect on the other.
The fight continues
In addition to the difficulties law enforcement faces, many of the groups live in Russia or other Eastern European countries that do not have extradition treaties with the US.
Cl0p was first noticed in early 2019. Recent targets have included oil company Shell, international law firm Jones Day, US bank Flagstar and several US universities, including Stanford and the University of California. Affiliated hackers often exploit vulnerabilities in the Accellion File Transfer Appliance. Cl0p has also been observed to run broad malicious email campaigns to identify potential business victims. In many cases, the campaigns use data stolen from existing victims to trick customers, partners or suppliers into thinking that a malicious email is benign.
Cl0p’s ability to post leaked documents after last week’s arrests suggests that the suspects were not core members and were instead either affiliates or, as Intel 471 told security reporter Brian Krebs, “limited to the payout and money laundering side of CLOP’s only matters.” And that means that the fight against this group and the internet scourge of which it is a part will continue for the foreseeable future.