
News broke earlier today that six members of the Clop (CIOp) Ransomware gang were arrested in Kiev, Ukraine, and in surrounding towns earlier today by the Cyber Police Department of the National Police of Ukraine, working in cooperation with law enforcement officials from South Korea (the Republic of Korea) and the United States. eSentire’s security research team, the Threat Response Unit (TRU), confirmed the arrests from a report on the official website of the Ukrainian police. According to the police report, along with arresting the six members, the police seized a Tesla , a Mercedes, the equivalent of $185,000 USD in cash, as well as computer equipment. The report also states that the authorities were able to shut down the IT infrastructure (servers) used by the Clop group. The police report went on to state that the six persons arrested could face up to eight years in prison for their part in the ransomware schemes, which are estimated to have caused $500 million in total damages.
As of 1 pm est, Clop’s leak/blog site is still up and running on the underground. On the site, they claim to have compromised 57 companies in total and 39 since January 1, 2021. Recent victims they claim to have compromised include a $3.3 billion pharmaceutical company out of India. This would not be off-target for Clop since they hit ExecuPharm, a Pennsylvania-based subsidiary of the U.S. biopharmaceutical giant Parexel, in 2020. ExecuPharm provides clinical trial management tools for biopharmaceutical companies.
Clop also compromised multimillion-dollar California company Utility Trailer Manufacturing. It is one of the largest U.S. producers of trailers for the trucking industry. When listing Utility Trailer Manufacturing on their leak site in April, they offer as proof of the breach a variety of employee files containing sensitive data. Utility Trailer confirmed the breach. Clop also lists on their leak site the supermarket chain Foodland. According to one news outlet, an email was sent to Foodland customers stating: “buyers, partners, employees, and owners of Foodland that confidential information such as names, addresses, social security numbers, phone numbers, and email was stolen.” ”Lawyers for Foodland Supermarkets Ltd. issued April 23, 2021, notification of a data breach due to a ransomware attack, which was said to have occurred on April 3, 2021. Foodland is Hawaii’s largest locally owned and operated grocery retailer. The chain has 33 stores and more than 2,600 employees. Interestingly, Clop claimed on their blog/leak site that Foodland was one of their victims prior to Foodland going public with the news on April 23. The Clop gang also claims to have recently hit a regional law firm out of Maryland.
The Clop attacks began in February 2019 and rose to prominence in October 2020, when the Clop operators became the first group to demand a ransom of more than $20 million dollars. The victim, the German tech firm Software AG, refused to pay.
Several of Clop’s 2021 victims are reported to be the result of the supply chain attack against Accellion, a company that provides a file transfer application to companies around the world. It is not known if the Clop gang was behind the cyberattack against Accellion or if the Clop operators were given access to the data by the Accellion hackers. However, it is very interesting how this particular ransomware gang got access to the data of so many customers of Accellion. Clop claims to have gotten their hands on data from Dutch oil giant Royal Shell, security company Qualys, U.S. bank Flagstar, global law firm Jones Day, University of Colorado, University of Miami, Canadian jet manufacturer Bombardier, Stanford University, and the University of California, among others.
In early April 2021, Clop threat actors tried to extort RaceTrac Petroleum, another Accellion victim. RaceTrac is an Atlanta-based company that operates more than 650 retail gasoline convenience stores in 12 southeastern states. According to a statement made on RaceTrac’s website, the Clop threat actors gained access to some of the company’s Rewards Loyalty users’ data: “By exploiting a previously undetected software vulnerability, unauthorized parties were able to access a subset of RaceTrac data stored in the Accellion File Transfer Service, including email addresses and first names of some of the company’s RaceTrac Rewards Loyalty users.”
“We feel that the Clop ransomware gang is particularly lethal because not only do they encrypt companies and organization’s critical data, causing many to temporarily shut down their operations, but they go to great lengths to extort ransom payments from their victims by notifying the victim company’s customers, partners and employees of the breach and by publishing sensitive data of the victim company’s employees, such as driver’s licenses, passports, correspondence containing mailing addresses, annual salaries, etc.,” said Rob McLeod, Sr. Director of the TRU team. “Any threat actor can go down to the underground and view these documents on the Clop website, and potentially use this sensitive data for their own cyber scams.”
Clop made headlines in 2021 for their tactic of culling through victims’ stolen data and retrieving contact information for the company’s customers and partners, then emailing them urging them to make the victim company pay the ransom. Clop operators’ emails typically say that the recipient is being contacted because they are a customer of the victim organization, and their personal data, including phone numbers, email addresses, and financial information, will soon be leaked on a Dark Web site if the company does not pay the ransom. The note below was published by security reporter Brian Krebs and is said to be a message sent to a RaceTrac rewards member. (See image 4.)
Image 1: Note from the Clop ransomware gang to a member of the RaceTrac rewards club.
Fachartikel

Cybersecurity im Gesundheitswesen: Warum Exposure Management der Schlüssel zur Prävention ist

Mehrdeutige Techniken: Warum der Kontext über Böswilligkeit entscheidet

Die 5 größten SAP-Sicherheitsrisiken und wie Sie diese mindern können

Vom Blocker zum Enabler: Wie Cybersicherheit geschäftlichen Mehrwert schafft

Forrester Unified Vulnerability Management (UVM) – Was es bedeutet und warum es wichtig ist
Studien

Princeton-Forscher warnen vor fatalen KI-Angriffen im Web3-Umfeld

Führungskräfte ohne KI-Wissen? Gartner-Umfrage offenbart Sorgen der CEOs

Schweigen über KI-Erfolge: Was eine neue Ivanti-Studie offenbart

IBM treibt den Einsatz generativer KI in Unternehmen mit hybrider Technologie voran

Weltweite Umfrage: Mehrheit der Technologieverantwortlichen spricht sich für Robotik im Arbeitsumfeld aus
Whitepaper

Group-IB präsentiert die zehn gefährlichsten Cybergruppen 2025

Cyberkriminelle nehmen 2025 verstärkt das Gesundheitswesen ins Visier

Cybersicherheit in KMUs: Alarmiert, aber schlecht gerüstet

Forescout warnt vor zunehmendem staatlich gefördertem Hacktivismus

Internationale KnowBe4-Umfrage: Über 90 Prozent halten Phishing-Tests für sinnvoll
Hamsterrad-Rebell

Sicherer SAP-Entwicklungsprozess: Onapsis Control schützt vor Risiken

Das CTEM-Framework navigieren: Warum klassisches Schwachstellenmanagement nicht mehr ausreicht

Cybersicherheit im Mittelstand: Kostenfreie Hilfe für Unternehmen

Anmeldeinformationen und credential-basierte Angriffe
