Ukrainian police have arrested six members of the Clop ransomware gang that has attempted to extort organisations around the world, including a NSW government agency.
Officers searched 21 premises in Kyiv where they made arrests and seized computers, cars, and around $250,000 in cash.
“It was established that six defendants carried out attacks of malicious software such as ‘ransomware’ on the servers of American and Korean companies,” the Ukrainian National Police said in a statement.
“They demanded a ‘ransom’ for decrypting the data, and in case of non-payment, they threatened to disclose the confidential data of the victims.”
Footage from the raids shows police forcing entry on multiple properties, making arrests and counting cash.
Officers from the South Korean National Police were also in attendance during the crackdown.
Police estimate the damage from the gang exceeds $660 million.
Along with delivering ransomware, Clop also took advantage of a vulnerability with the Accellion File Transfer Appliance which saw the Australian Securities and Investment Commission (ASIC) and Reserve Bank of New Zealand breached.
Clop targeted Transport for NSW using the Accellion flaw and dumped hundreds of gigabytes of data onto the dark web in an attempt to extort the state’s transport agency.
Clop’s dark web leak site remains online – including the Transport for NSW files – despite international law enforcement celebrating its members’ arrests.
The Clop leak site is still online featuring data stolen from organisations around the world.
Security firm Intel 471 said it understood the Ukrainian arrests were “limited to the group’s cash-out/money laundering operation”.
“We do not believe that any core actors behind Clop were apprehended, due to the fact they are probably in Russia,” Intel 471 said.
“The overall impact to Clop is expected to be minor, although this law enforcement attention may result in the Clop brand being abandoned as we’ve recently seen with other ransomware groups like DarkSide and Babuk.”
DarkSide was the group behind the Colonial Pipeline attack which caused severe disruptions to the US petrol supply chain and disbanded shortly after the incident brought heightened scrutiny to ransomware groups.
The US was able to retrieve most of the 75-bitcoin payment Colonial Pipeline made to DarkSide and has pointed the finger directly at Russia for allegedly harbouring cyber criminals.
Cyber security was high on the agenda last week when US President Joe Biden met with Russian President Vladimir Putin at a summit in Geneva.
Biden warned Putin that critical infrastructure was off limits for Kremlin hackers.
“I pointed out to him that we have significant cyber capability, and he knows it,” Biden said.