Tag Archive for: clop

Operation Cyclone deals blow to Clop ransomware operation

Man in handcuffs

A thirty-month international law enforcement operation codenamed ‘Operation Cyclone’ targeted the Clop ransomware gang, leading to the previously reported arrests of six members in Ukraine.

In June, BleepingComputer reported that Ukrainian law enforcement arrested members of the Clop ransomware gang involved in laundering ransom payments.

This Friday, new information came to light regarding how the operation was conducted and the law enforcement agencies involved.

Interpol’s Operation Cyclone

The transcontinental operation named ‘Operation Cyclone’ was coordinated from INTERPOL’s Cyber Fusion Centre in Singapore, with assistance from Ukrainian and US law enforcement authorities.

This operation targeted Clop for its numerous attacks against Korean companies and US academic institutions, where the threat actors encrypted devices and extorted organizations to pay a ransom or have their stolen data leaked.

In December 2020, Clop conducted a massive ransomware attack against E-Land Retail, a South Korean conglomerate, and retail giant, causing 23 out of 50 NC Department Store and NewCore Outlet retail stores to temporarily close. They later claimed to have stolen 2,000,000 credit cards from the company using point-of-sale malware.

More recently, Clop used a vulnerability in the Accellion secure file transfer gateway to steal confidential and private files of corporations and universities. When $10 million+ ransom demands were not paid, the threat actors publicly released students’ personal information from numerous universities and colleges.

Clop ransom note used in Accellion extortion demands
Clop ransom note used in Accellion extortion demands

The US education institutions targeted in the Accellion attacks included the University of Colorado, University of Miami, Stanford Medicine, University of Maryland Baltimore (UMB), and the University of California.

Through intelligence sharing between law enforcement agencies and private partners, Operation Cyclone led to the arrest of six suspects in Ukraine, the search of more than 20 houses, businesses, and vehicles, and the seizure of computers and $185,000 in cash assets.

The operation was also assisted by private partners, including Trend Micro, CDI, Kaspersky Lab, Palo Alto…


Accellion FTA Zero-Day Attacks Show Ties to Clop Ransomware, FIN11 – Threatpost

Accellion FTA Zero-Day Attacks Show Ties to Clop Ransomware, FIN11  Threatpost


FIN11 e-crime group shifted to clop ransomware and big game hunting

The financially motivated FIN11, which increasingly incorporated CL0P ransomware into their operations in 2020, appeared to rely on low-effort volume techniques like spamming malware for initial entry, but put a substantial amount of effort into each follow-up compromise.

“Several of their recent ransom notes explicitly name data stolen from workstations that belong to top executives (including founders/CEOs) of the respective enterprises,” Senior Cybersecurity Analyst Thomas Barabosch wrote in a blog post detailing new research from Deutsche Telekom. “This is likely based on the hope that using data stolen from top executives in the extortion process raises their chances that the victim pays.”

The research sheds new light on how cybercriminals from the threat group, described as a relentless, big game ransomware hunter that rarely goes more than a day or two between attacks, used the popular clop ransomware in their exploitations.

Throughout 2020, FIN11 actors followed an observable pattern through three separate campaigns: first spamming potential victims with phishing emails during the work week and then sifting through those who clicked on the malicious link to identify the most lucrative corporate targets for follow up action. FireEye picked up on one of those campaigns in October, and the company’s research suggests “that the actors cast a wide net during their phishing operations, then choose which victims to further exploit based on characteristics such as sector, geolocation or perceived security posture.”

In the FIN11 clop attacks, a target is hit with a unique variation of the ransomware. Researchers found more than a dozen different clop samples used by the group. In some cases there are multiple samples for a single victim. They also craft a personalized ransom note that includes the victim’s name, specifics around exfiltrated data, file share paths, user names and other details. They also use ransomware with unique, 1024-bit RSA public keys for each victim, with Barabosch noting in a blog that “as of January 2021, the largest publicly known RSA key that was factored…had 829 bits.”