A week after Ukrainian police arrested criminals affiliated with the notorious Cl0p ransomware gang, Cl0p has published a fresh batch of what’s purported to be confidential data stolen in a hack of a previously unknown victim. Ars won’t be identifying the possibly victimized company until there is confirmation that the data and the hack are genuine.
If genuine, the dump shows that Cl0p remains intact and able to carry out its nefarious actions despite the arrests. That suggests that the suspects don’t include the core leaders but rather affiliates or others who play a lesser role in the operations.
The data purports to be employee records, including verification of employment for loan applications and documents pertaining to workers whose wages have been garnished. I was unable to confirm that the information is genuine and that it was, in fact, taken during a hack on the company, although web searches showed that names listed in the documents matched names of people who work for the company.
Company representatives didn’t respond to a phone call seeking comment. Cl0p members didn’t respond to email sent to addresses listed on the group’s site on the dark web.
An existential threat
For almost a decade, ransomware has grown from a costly inconvenience into an existential threat that can shut down hospitals and disrupt gasoline and meat supplies. Under pressure from the Biden administration, the US Justice Department is prioritizing federal ransomware cases. Biden also raised concerns with Russian President Vladimir Putin about the proliferation of ransomware attacks from Russian-speaking groups, such as Cl0p.
Last week’s apprehension by Ukrainian police of six people affiliated with Cl0p was seen as a coup in some circles because it marked the first time a national law enforcement group has carried out mass arrests involving a ransomware group. But as Wired reporter Lily Hay Newman observed, the crack down is unlikely to easy the ransomware epidemic until Russia itself follows suit.
The new leak confirms the limits of current ransomware response. Much of the flimsiness stems from the decentralization of the ransomware economy, which rests on two crucial but independent entities. The first is the group that maintains the ransomware itself and often some of the Internet infrastructure it runs on.
The second entity is the team of hackers that leases the ransomware and shares any revenue generated with the ransomware maintainers. Often, one group has little or no knowledge of the other, so the shutdown of one has no effect on the other.
The fight continues
Compounding the difficulty law enforcement faces, many of the groups reside in Russia or other Eastern European countries that have no extradition treaties with the US.
Cl0p was first spotted in early 2019. Recent targets have included oil company Shell, international law firm Jones Day, US bank Flagstar, and several US universities including Stanford and the University of California. Often, affiliated hacker exploit vulnerabilities in the Accellion File Transfer Appliance. Cl0p has also been observed operating broad malicious email campaigns to identify potential corporate victims. In many cases, the campaigns use data stolen from existing victims to better trick customers, partners, or vendors into thinking that a malicious email is benign.
The ability of Cl0p to post leaked documents following last week’s arrests suggests that the suspects weren’t core members and instead were either affiliates or, as Intel 471 told security reporter Brian Krebs, “limited to the cash-out and money laundering side of CLOP’s business only.” And that means the fight against this group and the Internet scourge it’s a part of will continue for the foreseeable future.