35 with 29 posters participating
A week after Ukrainian police arrested criminals affiliated with the notorious Cl0p ransomware gang, Cl0p has published a fresh batch of what’s purported to be confidential data stolen in a hack of a previously unknown victim. Ars won’t be identifying the possibly victimized company until there is confirmation that the data and the hack are genuine.
If genuine, the dump shows that Cl0p remains intact and able to carry out its nefarious actions despite the arrests. That suggests that the suspects don’t include the core leaders but rather affiliates or others who play a lesser role in the operations.
The data purports to be employee records, including verification of employment for loan applications and documents pertaining to workers whose wages have been garnished. I was unable to confirm that the information is genuine and that it was, in fact, taken during a hack on the company, although web searches showed that names listed in the documents matched names of people who work for the company.
Company representatives didn’t respond to a phone call seeking comment. Cl0p members didn’t respond to emails sent to addresses listed on the group’s site on the dark web.
An existential threat
For almost a decade, ransomware has grown from a costly inconvenience into an existential threat that can shut down hospitals and disrupt gasoline and meat supplies. Under pressure from the Biden administration, the US Justice Department is prioritizing federal ransomware cases. Biden also raised concerns with Russian President Vladimir Putin about the proliferation of ransomware attacks from Russian-speaking groups, such as Cl0p.
Last week’s apprehension by Ukrainian police of six people affiliated with Cl0p was seen as a coup in some circles because it marked the first time a national law enforcement group has carried out mass arrests involving a ransomware group. But as Wired reporter Lily Hay Newman observed, the crackdown is unlikely to ease the ransomware epidemic until Russia itself follows suit.
identify potential corporate victims. In many cases, the campaigns use data stolen from existing victims to better trick customers, partners, or vendors into thinking that a malicious email is benign.
The ability of Cl0p to post leaked documents following last week’s arrests suggests that the suspects weren’t core members and instead were either affiliates or, as Intel 471 told security reporter Brian Krebs, “limited to the cash-out and money laundering side of CLOP’s business only.” And that means the fight against this group and the Internet scourge it’s a part of will continue for the foreseeable future.