Ukrainian police reported uncovering a group of hackers who used ransomware software to extort money from foreign businesses, mainly in the United States and South Korea.

Authorities claim that hackers used Cl0p encryption software to decipher stolen data and demanded ransom for the access key.

According to the police, suspects used double-extorsion, and victims were threatened their data would be leaked in case of not complying with the ransom demand.

Ukrainian police estimate that six suspects carried out an attack in 2019, which affected 810 computers in an unnamed South Korean firm. Threat actors used ‘Flawedammyy RAT’ software for the hack.

A video of the operation, published by Ukranian authorites.

Suspects are accused of attacking and encrypting personal data of Stanford University Medical School, the University of Maryland, and the University of California.

Police estimated that total damages stand at around $500 million. It is yet unclear whether anyone was actually arrested during the operation which Ukrainian police carried out together with authorities from the US and South Korea.

Ukrainian authorities also claim that the local cyber police managed to shut down the infrastructure from which the virus spreads and blocked channels for legalizing ransom payments in cryptocurrencies.

21 searches were conducted in the vicinity of the capital city of Kyiv, suspects houses and vehicles were searches. Over $180 thousand in cash held in Ukrainian currency were confiscated by the police.

‘Cl0p’ ransomware group is considered a ‘big game hunter’ attacker due to their volume. Without previously mentioned target, the group and its affiliates are credited to have carried out attacks against oil giant Shell, US bank Flagstar and others.

The group is a member of a larger conglomerate named ‘TA505’ and groups like ‘F1N11’ use ransomware ‘Cl0p’ developed malicious software .

Ukrainian law enforcement does not disclose whether suspects are members or only affiliates of the gang. It is only stated that the suspects were using ‘Cl0p’ malicious software.

, Cl0p affiliated hackers exposed in Ukraine, $500 million in damages estimated
Cash found after conducting at least 21 searches. Image source.

Ransomware gold rush

Recent months were no short of large scale ransomware attacks. Attacks against Colonial Pipeline and meatpacker JBS were dominating the news for several weeks.

Research by CyberNews shows that criminal groups to expand, actively recruiting new employees. Our researcher even tricked ransomware operators into revealing the payout structure, cash-out schemes, and target acquisition strategies.

Ransomware groups advertise online, claiming the successful candidate would get up to 80% of any successfully paid ransom. Criminals could even prove they have $1 million worth of bitcoin in one of their digital wallets.

The group our researcher tried to infiltrate is the Russia-linked cyber gang Ravil, also going by the name Sodinokibi. The same group is likely responsible for the disruption of JBS operations in the US, slaughtering plants for a day after the attack.

JBS later admitted to paying $11 million worth of bitcoin to put an end to the attack. According to the FBI, the company says that JBS has fallen victim to ‘specialized and sophisticated cybercriminal groups in the world.’


More from CyberNews:

Cybersecurity veteran: people in cyber feel like they are in a pressure cooker 24/7

Ransomware gold rush: why now?

The rise of makeshift ransomware: what is Epsilon Red and should you worry about it?

Is paying ransomware the worst strategy?

Million-dollar deposits and friends in high places: how we applied for a job with a ransomware gang

Subscribe to our newsletter