{
	"id": "071ac2e3-26bb-4c04-8316-f2e892a90566",
	"created_at": "2026-04-06T01:31:51.447588Z",
	"updated_at": "2026-04-10T03:30:21.140822Z",
	"deleted_at": null,
	"sha1_hash": "0cf515cb2c1d34e9ca681266de528aef55ab7f78",
	"title": "Global Operations Lead to Arrests of Alleged Members of GandCrab REvil and Cl0p Cartels",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58023,
	"plain_text": "Global Operations Lead to Arrests of Alleged Members of\r\nGandCrab REvil and Cl0p Cartels\r\nBy Trend Micro ( words)\r\nPublished: 2021-11-16 · Archived: 2026-04-06 01:02:09 UTC\r\nA total of 13 suspects believed to be members of two prolific cybercrime rings were arrested as a global coalition\r\nacross five continents involving law enforcement and private partners, including Trend Micro, sought to crack\r\ndown on big ransomware operators.\r\nAbout the GandCrab/REvil arrests\r\nAccording to a report by Interpolopen on a new tab, the global operation, which was conducted by 19 law\r\nenforcement agencies in 17 countries, led to the apprehension of seven suspects linked as “affiliates” or partners\r\nof GandCrab/REvil. The group is a prominent ransomware network deemed responsible for more than 7,000\r\nattacks since early 2019.\r\nCode-named Quicksand (GoldDust), the operation was a collaboration between Interpol, Europol, law\r\nenforcement agencies, and private firms. Each contributed to the four-year-long investigations by sharing\r\ninformation and technical expertise.\r\nREvilnews- cybercrime-and-digital-threats (aka Sodinokibi) and GandCrab, believed to be operated by the same\r\nindividuals, offer ransomware-as-a-service (Raas), renting out ransomware code to other cybercriminals. Set up\r\nwith groups known as affiliates, the scheme includes intrusions into companies, deployment of ransomware, and\r\ndemand for ransom, after which profits are shared with the rest of the coders.\r\nA report by Europolopen on a new tab estimates that over €200 million in ransom demands had been made\r\ncollectively since 2019 by the seven suspects from all the attacks that were carried out.\r\nThe formidable global coalition enabled the following:\r\nKorean law enforcement’s arrest of three suspects in February, April, and October\r\nKuwaiti authorities’ arrest of a man who allegedly carried out ransomware attacks using the GandCrab\r\nransomware\r\nRomanian authorities’ arrest of two individuals suspected of ransomware cyberattacks and linked to more\r\nthan 5,000 infections and half a million euros in ransom payments\r\nThe arrest of a man suspected of deploying the Kaseya ransomware attack, thought to have been done in\r\nJuly 2021 by the REvil group with more than 1,500 people and 1,000 businesses affected worldwide\r\nTrend Micro’s monitoring of GandCrab/REvil\r\nTrend Micro has kept a close eye on this malware family since as early as 2018, when we reported the discovery\r\nof GandCrab v4.3news- cybercrime-and-digital-threats, which targeted South Korean users through spam emails.\r\nhttps://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html\r\nPage 1 of 3\n\nThe spam emails used EGG (.egg) files to deliver the GandCrab v4.3 ransomware (detected by Trend Micro as\r\nRansom_GANDCRAB.TIAOBHO). EGG is a compressed archive file format (similar to ZIP) that is commonly\r\nused in South Korea. Evidence indicated that the attack was aimed toward South Korean users for its use of\r\nHangul in the subject, body, and attachment file name of the spam emails.\r\nIn 2019, Trend Micro announced another noteworthy GandCrab ransomware attack, also in South Korea. Spam\r\nemails made the rounds with the subject “SHIPPED ORDER INCORRECT.” The messages posed as shipping\r\norder notifications from a known courier delivery service company and were designed to dupe the recipients into\r\nopening the email attachment. As with the first attack, the email body was written in Korean and contained a RAR\r\nattachment that supposedly contained information on the parcel.\r\nAbout the Cl0p arrest\r\nAnother milestone for the global public-private alliance aimed at dismantling cybercrime rings is the arrest of six\r\nsuspected members of the ransomware group Cl0p, following a 30-month joint investigation into attacks against\r\nSouth Korean companies and US academic institutions.\r\nThe task force, acted on the request by South Korea’s cybercrime investigation division, enabled the arrest of\r\nalleged gang members in Ukraine. The operation involved Interpol, Europol, and law enforcement authorities in\r\nSouth Korea, Ukraine, and the US in June.\r\nCodenamed Operation Cyclone, it had global police pursuing the Cl0p malware operators in Ukraine for allegedly\r\ntargeting private businesses in South Korea and the US. Interpolopen on a new tab reports that Cl0p’s attacks\r\nimpeded access to their computer files and networks, and subsequently demanded huge ransoms for restoring\r\naccess.\r\nThe suspects allegedly facilitated the transfer and cash-out of assets on the ransomware group’s behalf while\r\nthreatening to release sensitive data to the public if demands for additional payments were declined. The six\r\nsuspects are believed to be closely connected to a Russian-language cybercrime network known for naming and\r\nshaming its victims on a Tor leak site and, more notably, for amassing more than US$500 million in funds related\r\nto several ransomware attacks. Cl0p’s activities target essential infrastructures and industries, such as\r\ntransportation and logistics, education, manufacturing, energy, financial, aerospace, telecommunications, and\r\nhealthcare.\r\nOperation Cyclone was deployed with assistance and information given by Trend Micro and other private\r\ncybersecurity firms. The synergy in intelligence gathering enabled the Ukrainian police to search more than 20\r\nhouses, businesses, and vehicles, and seize property, computers, and cash amounting to US$185,000.\r\nTrend Micro’s monitoring of Cl0p\r\nTrend Micro Research has written extensively about Cl0pcybercrime-and-digital-threats/ransomware-recap-clop-deathransom-and-maze-ransomware and other ransomware actorsnews- cybercrime-and-digital-threats as it helps\r\norganisations to effectively deal with ransomware attacks.\r\nCl0p (unstylised as Clop) first became known as a variant of the CryptoMix ransomware family. In 2020, the\r\ngroup behind Cl0p publicised the data of a pharmaceutical companyopen on a new tab in its maiden attempt at the\r\nhttps://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html\r\nPage 2 of 3\n\ndouble extortion scheme. Since then, the group’s extortion tactics have become increasingly sophisticated and thus\r\nmore destructive.\r\nOperators hold their target organisation under duress by sending out emails to initiate negotiations. If messages are\r\nignored, they threaten to publicise and auction off stolen data on the data leak site “Cl0p^_-Leaks”. In addition,\r\nCl0p ransomware operators employ other extortion techniques, such as going after top executivesopen on a new\r\ntab and customersopen on a new tab to pressure companies to pay up.\r\nDefending networks and systems from ransomware\r\nThwarting ransomware requires collaborative efforts from both law enforcement agencies and private companies\r\nlike cybersecurity vendors. For its part, Trend Micro has been collaborating with law enforcement agencies to\r\nprovide them with threat intelligence needed to aid in their investigations in order to combat ransomware and\r\nother cyberthreats.\r\nThere is no doubt that ransomware will persist as a significant security threat, one that is expected to multiply and\r\nadvance in complexity. As we’ve seen, ransomware rapidly evolves into an even more destructive threat. To\r\nprotect networks and systems from ransomware, organisations and users are advised to follow these best practices:\r\nAvoid downloading attachments and clicking on links in emails from unverified sources.\r\nRegularly patch and update operating systems, programmes, and software.\r\nPeriodically back up files by observing the 3-2-1 rulenews article: Create at least three copies of the data,\r\nstore it in two different formats, and keep at least one duplicate off-site.\r\nFollow security frameworks such as those set by the Centre of Internet Securityopen on a new tab and\r\nthe National Institute of Standards and Technologyopen on a new tab to reduce overall risk levels and\r\nexposure to threats and vulnerabilities that ransomware operators may use.\r\nAs threat actors are always waiting for the opportunity to pounce on the next victim, investing in cross-layered\r\ndetection and response solutions can save organisations a lot of headache and expense. Trend Micro Vision One™️\r\nwith Managed XDRservices is a cybersecurity platform that provides visibility into the early activities of modern\r\nransomware attacks to help detect and block ransomware components so that attacks are thwarted even before\r\ncybercriminals are able to exfiltrate sensitive data.\r\nSource: https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html\r\nhttps://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html"
	],
	"report_names": [
		"global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "1db21349-11d6-4e57-805c-fb1e23a8acab",
			"created_at": "2022-10-25T16:07:23.630365Z",
			"updated_at": "2026-04-10T02:00:04.694622Z",
			"deleted_at": null,
			"main_name": "FIN11",
			"aliases": [
				"Chubby Scorpius",
				"DEV-0950",
				"Lace Tempest",
				"Operation Cyclone"
			],
			"source_name": "ETDA:FIN11",
			"tools": [
				"AZORult",
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"BLUESTEAL",
				"Cl0p",
				"EMASTEAL",
				"FLOWERPIPE",
				"FORKBEARD",
				"FRIENDSPEAK",
				"FlawedAmmyy",
				"GazGolder",
				"Get2",
				"GetandGo",
				"JESTBOT",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MINEDOOR",
				"MIXLABEL",
				"Meterpreter",
				"NAILGUN",
				"POPFLASH",
				"PuffStealer",
				"Rultazo",
				"SALTLICK",
				"SCRAPMINT",
				"SHORTBENCH",
				"SLOWROLL",
				"SPOONBEARD",
				"TiniMet",
				"TinyMet",
				"VIDAR",
				"Vidar Stealer"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439111,
	"ts_updated_at": 1775791821,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0cf515cb2c1d34e9ca681266de528aef55ab7f78.pdf",
		"text": "https://archive.orkl.eu/0cf515cb2c1d34e9ca681266de528aef55ab7f78.txt",
		"img": "https://archive.orkl.eu/0cf515cb2c1d34e9ca681266de528aef55ab7f78.jpg"
	}
}