Members of the notorious FIN11 (Clop) ransomware gang have been arrested today by the Ukrainian police in conjunction with Interpol and law enforcement from the US and South Korea.
In a statement published today, the Ukrainian police revealed it has arrested six people alleged to be part of the financial cybercrime gang FIN11, which is believed to be behind many high-profile cyber-attacks. These include the attacks exploiting vulnerabilities in Accellion’s FTA product earlier this year, enabling it to access the system of aircraft manufacturer Bombardier.
In the statement, the police outlined its belief that the six suspects “carried out ransomware-type malware attacks on the servers of US and Korean companies.” This includes encrypting personal data of employees and financial reports of the Stanford University School of Medicine, the University of Maryland and the University of California.
The police added that it had seized cash, cars, and a number of Apple Mac laptops and desktops alongside the arrests. It stated: “Through the joint efforts of law enforcement officers, it was possible to stop the operation of the infrastructure from which the virus is spreading and block the channels for the legalization of cryptocurrencies obtained by criminal means.”
The announcement is the latest in several recent successes for law enforcement agencies in countering cyber-criminal gangs. For example, earlier this month, the US Department of Justice revealed it managed to seize around $2.3m of the $4.4m in cryptocurrency paid to the Darkside gang by Colonial Pipeline following the ransomware attack on the fuel transportation company in May.
Security experts such as Kim Bromley, a senior cyber threat intelligence analyst at Digital Shadows, recognizes the significance of these arrests: “On 16 Jun 2021, Ukrainian police announced the arrest of individuals and the takedown of infrastructure related to the ‘Clop’ ransomware. This activity comes in the aftermath of increased pressure from law enforcement and governments on ransomware groups, following recent attacks on critical national infrastructure in the US. Clop ransomware has been active since February 2019 and targets large organizations for big game hunting. Despite partaking in the ever-popular double-extortion tactic, Clop’s reported activity level is relatively low when compared with the likes of ‘REvil’ (aka Sodinokibi) or ‘Conti’.
“Earlier in the year, the ‘Ziggy’ ransomware shut down its operation, citing an increased scrutiny from law enforcement as the reason. This week, the ‘Avaddon’ ransomware also appear to have ceased operations. Seemingly, the consistent pressure from law enforcement on these threat groups is beginning to have a positive impact.”
John Hultquist, VP of analysis, Mandiant Threat Intelligence, outlined: “The Cl0p operation has been used to disrupt and extort organizations globally in a variety of sectors including telecommunications, pharmaceuticals, oil and gas, aerospace and technology. The actor FIN11 has been strongly associated with this operation, which has included both ransomware and extortion, but it is unclear if the arrests included FIN11 actors or others who may also be associated with the operation.
“The arrests made by Ukraine are a reminder that the country is a strong partner for the US in the fight against cybercrime, and authorities there are making the effort to deny criminals a safe harbor. This is especially relevant as President Biden and Putin discuss the state of cyber-threats emanating from Russia, including the ransomware threat, which has increasingly threatened critical infrastructure and the everyday lives of people around the world.”