Clop (Cl0p) Ransomware Gang Currently Claims 57 Victims on Leak Site, as Six Clop Gang Members Arrested in Ukraine Today

17. Juni 2021

News broke earlier today that six members of the Clop (CIOp) Ransomware gang were arrested in Kiev, Ukraine, and in surrounding towns earlier today by the Cyber Police Department of the National Police of Ukraine, working in cooperation with law enforcement officials from South Korea (the Republic of Korea) and the United States. eSentire’s security research team, the Threat Response Unit (TRU), confirmed the arrests from a report on the official website of the Ukrainian police. According to the police report, along with arresting the six members, the police seized a Tesla , a Mercedes, the equivalent of $185,000 USD in cash, as well as computer equipment. The report also states that the authorities were able to shut down the IT infrastructure (servers) used by the Clop group. The police report went on to state that the six persons arrested could face up to eight years in prison for their part in the ransomware schemes, which are estimated to have caused $500 million in total damages.

As of 1 pm est, Clop’s leak/blog site is still up and running on the underground. On the site, they claim to have compromised 57 companies in total and 39 since January 1, 2021.  Recent victims they claim to have compromised include a $3.3 billion pharmaceutical company out of India.  This would not be off-target for Clop since they hit ExecuPharm, a Pennsylvania-based subsidiary of the U.S. biopharmaceutical giant Parexel, in 2020.  ExecuPharm provides clinical trial management tools for biopharmaceutical companies.

Clop also compromised multimillion-dollar California company Utility Trailer Manufacturing. It is one of the largest U.S. producers of trailers for the trucking industry. When listing Utility Trailer Manufacturing on their leak site in April, they offer as proof of the breach a variety of employee files containing sensitive data. Utility Trailer confirmed the breach.  Clop also lists on their leak site the supermarket chain Foodland.  According to one news outlet, an email was sent to Foodland customers stating: “buyers, partners, employees, and owners of Foodland that confidential information such as names, addresses, social security numbers, phone numbers, and email was stolen.” ”Lawyers for Foodland Supermarkets Ltd. issued April 23, 2021, notification of a data breach due to a ransomware attack, which was said to have occurred on April 3, 2021. Foodland is Hawaii’s largest locally owned and operated grocery retailer. The chain has 33 stores and more than 2,600 employees. Interestingly, Clop claimed on their blog/leak site that Foodland was one of their victims prior to Foodland going public with the news on April 23. The Clop gang also claims to have recently hit a regional law firm out of Maryland.

The Clop attacks began in February 2019 and rose to prominence in October 2020, when the Clop operators became the first group to demand a ransom of more than $20 million dollars. The victim, the German tech firm Software AG, refused to pay.

Several of Clop’s 2021 victims are reported to be the result of the supply chain attack against Accellion, a company that provides a file transfer application to companies around the world. It is not known if the Clop gang was behind the cyberattack against Accellion or if the Clop operators were given access to the data by the Accellion hackers. However, it is very interesting how this particular ransomware gang got access to the data of so many customers of Accellion. Clop claims to have gotten their hands on data from Dutch oil giant Royal Shell, security company Qualys, U.S. bank Flagstar, global law firm Jones Day, University of Colorado, University of Miami, Canadian jet manufacturer Bombardier, Stanford University, and the University of California, among others.

In early April 2021, Clop threat actors tried to extort RaceTrac Petroleum, another Accellion victim. RaceTrac is an Atlanta-based company that operates more than 650 retail gasoline convenience stores in 12 southeastern states. According to a statement made on RaceTrac’s website, the Clop threat actors gained access to some of the company’s Rewards Loyalty users’ data: “By exploiting a previously undetected software vulnerability, unauthorized parties were able to access a subset of RaceTrac data stored in the Accellion File Transfer Service, including email addresses and first names of some of the company’s RaceTrac Rewards Loyalty users.”

“We feel that the Clop ransomware gang is particularly lethal because not only do they encrypt companies and organization’s critical data, causing many to temporarily shut down their operations, but they go to great lengths to extort ransom payments from their victims by notifying the victim company’s customers, partners and employees of the breach and by publishing sensitive data of the victim company’s employees, such as driver’s licenses, passports, correspondence containing mailing addresses, annual salaries, etc.,” said Rob McLeod, Sr. Director of the TRU team.   “Any threat actor can go down to the underground and view these documents on the Clop website, and potentially use this sensitive data for their own cyber scams.”

Clop made headlines in 2021 for their tactic of culling through victims’ stolen data and retrieving contact information for the company’s customers and partners, then emailing them urging them to make the victim company pay the ransom. Clop operators’ emails typically say that the recipient is being contacted because they are a customer of the victim organization, and their personal data, including phone numbers, email addresses, and financial information, will soon be leaked on a Dark Web site if the company does not pay the ransom. The note below was published by security reporter Brian Krebs and is said to be a message sent to a RaceTrac rewards member. (See image 4.)

Image 1: Note from the Clop ransomware gang to a member of the RaceTrac rewards club.