INTERPOL is still on the hunt for two suspected members of the Clop ransomware gang after making multiple arrests in the summer following a 30-month operation, it has revealed.
In an update on Operation Cyclone, the law enforcement agency said that the two Red Notices had been circulated to all 194 member countries around the world following a request from Korean investigators.
The operation was launched after Clop attacks on Korean companies and US academic institutions, although six of the suspects were arrested in Ukraine in June. Stanford University School of Medicine, the University of Maryland and the University of California are thought to have been among the victims.
It was coordinated from Interpol’s Singapore Cyber Fusion Centre, with threat intelligence provided by private partners Trend Micro, CDI, Kaspersky, Palo Alto Networks, Fortinet and Group-IB — as well as two little-known Korean players, S2W LAB and KFSI.
The operation enabled Ukrainian police to search over 20 houses, businesses and vehicles, and seize property, computers and $185,000 in cash, as well as the six suspects.
However, they’re not thought to be central characters in the Clop ransomware gang. According to INTERPOL, they helped to launder and cash-out the group’s assets and threatened victims with data leaks if ransom payments were not made.
“Despite spiralling global ransomware attacks, this police-private sector coalition saw one of global law enforcement’s first online criminal gang arrests, which sends a powerful message to ransomware criminals, that no matter where they hide in cyberspace, we will pursue them relentlessly,” said INTERPOL’s director of cybercrime, Craig Jones.
Law enforcers have been on something of a roll recently, disrupting the notorious REvil and Egregor groups earlier in the year.
Then, at the end of October, Europol revealed that it had targeted 12 threat actors thought to have used the LockerGoga, MegaCortex and Dharma variants or laundered money for those groups.