{ "id": "2c2aa084-e482-4bef-9f9e-97737b110c48", "created_at": "2026-04-06T01:31:16.097622Z", "updated_at": "2026-04-10T03:36:36.626934Z", "deleted_at": null, "sha1_hash": "0b8d1ba6fdbd590112bdbf5b44d06ba9f2c81081", "title": "Ukrainian Police Nab Six Tied to CLOP Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 697195, "plain_text": "Ukrainian Police Nab Six Tied to CLOP Ransomware\r\nPublished: 2021-06-16 · Archived: 2026-04-06 00:07:46 UTC\r\nAuthorities in Ukraine this week charged six people alleged to be part of the CLOP ransomware group, a\r\ncybercriminal gang said to have extorted more than half a billion dollars from victims. Some of CLOP’s victims this year\r\nalone include Stanford University Medical School, the University of California, and University of Maryland.\r\nA still shot from a video showing Ukrainian police seizing a Tesla, one of many high-end vehicles seized in this week’s\r\nraids on the Clop gang.\r\nAccording to a statement and videos released today, the Ukrainian Cyber Police charged six defendants with various\r\ncomputer crimes linked to the CLOP gang, and conducted 21 searches throughout the Kyiv region.\r\nFirst debuting in early 2019, CLOP is one of several ransomware groups that hack into organizations, launch\r\nransomware that encrypts files and servers, and then demand an extortion payment in return for a digital key needed to\r\nunlock access.\r\nhttps://krebsonsecurity.com/2021/06/ukrainian-police-nab-six-tied-to-clop-ransomware/\r\nPage 1 of 3\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\n/\r\nCLOP has been especially busy over the past six months exploiting four different zero-day vulnerabilities in File\r\nTransfer Appliance (FTA), a file sharing product made by California-based Accellion.\r\nThe CLOP gang seized on those flaws to deploy ransomware to a significant number of Accellion’s FTA customers,\r\nincluding U.S. grocery chain Krogers, the law firm Jones Day, security firm Qualys, and the Singaporean telecom giant\r\nSingtel.\r\nLast year, CLOP adopted the practice of attempting to extract a second ransom demand from victims in exchange for a\r\npromise not to publish or sell any stolen data. Terabytes of documents and files stolen from victim organizations that\r\nhave not paid a data ransom are now available for download from CLOP’s deep web site, including Stanford, UCLA and\r\nthe University of Maryland.\r\nhttps://krebsonsecurity.com/2021/06/ukrainian-police-nab-six-tied-to-clop-ransomware/\r\nPage 2 of 3\n\nCLOP’s victim shaming blog on the deep web.\r\nIt’s not clear how much this law enforcement operation by Ukrainian authorities will affect the overall operations of the\r\nCLOP group. Cybersecurity intelligence firm Intel 471 says the law enforcement raids in Ukraine were limited to the\r\ncash-out and money laundering side of CLOP’s business only.\r\n“We do not believe that any core actors behind CLOP were apprehended, due to the fact that they are probably living in\r\nRussia,” Intel 471 concluded. “The overall impact to CLOP is expected to be minor although this law enforcement\r\nattention may result in the CLOP brand getting abandoned as we’ve recently seen with other ransomware groups like\r\nDarkSide and Babuk” [links added].\r\nWhile CLOP as a moneymaking collective is fairly young organization, security experts say CLOP members hail from a\r\ngroup of Threat Actors (TA) known as “TA505,” which MITRE‘s ATT\u0026CK database says is a financially motivated\r\ncybercrime group that has been active since at least 2014. “This group is known for frequently changing malware and\r\ndriving global trends in criminal malware distribution,” MITRE assessed.\r\nSource: https://krebsonsecurity.com/2021/06/ukrainian-police-nab-six-tied-to-clop-ransomware/\r\nhttps://krebsonsecurity.com/2021/06/ukrainian-police-nab-six-tied-to-clop-ransomware/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://krebsonsecurity.com/2021/06/ukrainian-police-nab-six-tied-to-clop-ransomware/" ], "report_names": [ "ukrainian-police-nab-six-tied-to-clop-ransomware" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439076, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0b8d1ba6fdbd590112bdbf5b44d06ba9f2c81081.pdf", "text": "https://archive.orkl.eu/0b8d1ba6fdbd590112bdbf5b44d06ba9f2c81081.txt", "img": "https://archive.orkl.eu/0b8d1ba6fdbd590112bdbf5b44d06ba9f2c81081.jpg" } }