The arrests do not disrupt the activity of the Clop group: The website used by the ransomware group is still active a week after the Ukrainian police announcements, and the group’s operators have released new data stolen from victimized companies. This continued activity suggests that the Clop group has not been as disturbed as expected by the recent arrests.
In the columns of Bleeping Computer, the cybersecurity company Intel 471 argued that the arrests of last week would not hamper the group’s activity. According to the firm, those arrested by Ukrainian law enforcement were linked to the group’s money laundering activity. These arrests would not therefore have directly affected the functioning of the cybercriminal group, which proves it by continuing its extortion activities and posting it on its site.
A model of double extortion
Ukrainian police forces also said they had seized part of the infrastructure used by the group, but the website Clop used to disseminate the stolen data remained online following the announcements. In the operations which led to the arrest of members of the Netwalker or Egregor group, the websites used by the groups had been seized by the Police. The statement issued by the Ukrainian police said the investigation was continuing and that the police were hoping to make further arrests.
The Clop group, active since 2019, is particularly suspected of having been involved in France in the cyberattack that paralyzed the Rouen University Hospital. Among the victims of this ransomware group, we find actors such as the German software publisher Software AG, or the cybersecurity company Qualys. The group is known to have adopted, along with many other cybercriminal groups, a business model of “double extortion”, which involves encryption of the target’s computer systems followed by data theft. More recently, the group had also exploited flaws in Accellion FTA, in order to steal data and extort ransoms from victims, this time without going through the encryption of their information system.
Proof that cybercriminal groups are likely to be able to evolve beyond ransomware, the modus operandi having garnered widespread media attention over the past two years.