A week after the Ukrainian police arrested criminals affiliated with famous Cl0p ransomware gang, Cl0p has released a new batch of what is believed to be confidential data stolen while hacking a previously unknown victim. Ars will not identify the potentially victimized company until it has been confirmed that the data and the hack are genuine.
If genuine, the dump shows that Cl0p remains intact and capable of carrying out its nefarious actions despite arrests. This suggests that the suspects do not include key executives but rather affiliates or others who play a lesser role in the operations.
The data claims to be employee records, including employment verification for loan applications and documents relating to workers whose wages have been garnished. I could not confirm that the information is genuine and that it was taken during a company hack, although web research showed that the names in the documents matched the names of people. working for the company.
Representatives for the company did not respond to a phone call seeking comment. Cl0p members did not respond to emails sent to addresses listed on the group’s dark web site.
An existential threat
For nearly a decade, ransomware has grown from a costly inconvenience to an existential threat that can close hospitals and disturb gasoline and Meat Provisions. Under pressure from the Biden administration, the US Department of Justice is prioritize federal ransomware cases. Biden also raised concerns with Russian President Vladimir Putin over the proliferation of ransomware attacks from Russian-speaking groups, such as Cl0p.
The arrest last week by Ukrainian police of six people affiliated with Cl0p was viewed as a coup in some circles, as it was the first time that a national law enforcement group had carried out mass arrests involving a ransomware group. But as a Wired reporter Lily Hay Newman observed, the crackdown is unlikely to alleviate the ransomware epidemic until Russia itself follows suit.
The new leak confirms the limits of the current ransomware response. Much of the fragility stems from the decentralization of the ransomware economy, which relies on two crucial but independent entities. The first is the group that manages the ransomware itself and often part of the internet infrastructure on which it runs.
The second entity is the hacker team who praise the ransomware and share the revenue generated with those responsible for the ransomware. Often, one group has little or no knowledge of the other, so closing one has no effect on the other.
The fight goes on
Compounding the difficulties faced by law enforcement, many groups reside in Russia or other Eastern European countries that do not have an extradition treaty with the United States.
Cl0p was first spotted in early 2019. Recent targets include oil company Shell, international law firm Jones Day, US bank Flagstar and several US universities, including Stanford and the University of California. Often, affiliate hackers exploit vulnerabilities in the Accellion file transfer appliance. Cl0p has also been observed exploiting extensive malicious email campaigns to identify potential victims of companies. In many cases, campaigns use data stolen from existing victims to better trick customers, partners or suppliers into thinking a malicious email is benign.
Cl0p’s ability to publish leaked documents after last week’s arrests suggests the suspects were not core members and instead were affiliates or, like Intel 471 told security reporter Brian Krebs, “Limited to the collection and money laundering aspect of CLOP activities only”. And that means that the fight against this group and the Internet scourge of which it is a part will continue for the foreseeable future.