Ukraine arrests ransomware gang in global cybercriminal crackdown

A chainlink fence separates us from fossil fuel tanks.
Enlarge / A Colonial Pipeline facility in Woodbridge, New Jersey. Hackers last month disrupted the pipeline supplying petroleum to much of the East Coast.

Ukrainian police have arrested members of a notorious ransomware gang that recently targeted American universities, as pressure mounts on global law enforcement to crack down on cybercriminals.

The Ukraine National Police said in a statement on Wednesday that it had worked with Interpol and the US and South Korean authorities to charge six members of the Ukraine-based Cl0p hacker group, which it claimed had inflicted a half-billion dollars in damages on victims based in the US and South Korea.

The move marks the first time that a national law enforcement agency has carried out mass arrests of a ransomware gang, adding to pressure on other countries to follow suit. Russia, a hub for ransomware gangs, has been blamed for harbouring cybercriminals by failing to prosecute or extradite them.

Cl0P is one of several ransomware cartels that seize a target’s data, demanding a ransom to release it. The group has also increasingly threatened to leak sensitive information online if a target refuses to pay, a tactic known as “double extortion.”

Recent targets have included oil company Shell and international law firm Jones Day, as well as several US universities including Stanford and the University of California. In most cases, the hackers wielded a vulnerability in a file transfer product run by Accellion to compromise their victims.

The arrests come as ransomware has been thrust into the spotlight in recent weeks, following a number of audacious attacks hitting critical infrastructure. Last month, hackers disrupted the Colonial Pipeline supplying petroleum to much of the US East Coast—an attack the White House has attributed to a Russian-based group.

As a result, governments are under increasing pressure to curb the activities of cybercriminals. This week, US President Joe Biden attended a summit in Geneva with Russia’s President Vladimir Putin, in which both parties were expected to discuss the threat of ransomware.

Some experts allege Moscow allows ransomware criminals to operate with impunity in the country on the understanding that hackers will not target Russian-speaking organizations and will share access with the government if called upon to do so. Ahead of the summit, however, both Putin and Biden suggested they were open to exchanging cybercriminals.

As part of its Cl0P takedown, the Ukrainian police on Wednesday said that it had conducted 21 searches in the Kyiv region of homes and cars of those arrested, seizing computer equipment, 5 million Ukrainian hryvnias (around $185,000), and property. Video footage shared by the police showed officers raiding homes in what appeared to be wealthy neighborhoods, and towing luxury cars including Teslas.

The police also said it had “managed to shut down” some of the group’s digital infrastructure.

It is unclear whether those arrested were core members of the group or affiliates. The defendants face eight years in prison, the statement said.

© 2021 The Financial Times Ltd. All rights reserved. Not to be redistributed, copied, or modified in any way.