{ "id": "134fcb12-934c-42c8-9a31-5fe5d60503c6", "created_at": "2026-04-06T00:18:28.21444Z", "updated_at": "2026-04-10T03:36:36.668134Z", "deleted_at": null, "sha1_hash": "df241dc20054cd8ef53e709e0d69d2b5644eb061", "title": "Ukrainian police arrest Clop ransomware members, seize server infrastructure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 490253, "plain_text": "Ukrainian police arrest Clop ransomware members, seize server\r\ninfrastructure\r\nBy Catalin Cimpanu\r\nPublished: 2022-12-10 · Archived: 2026-04-05 22:22:32 UTC\r\nMultiple suspects believed to be linked to the Clop ransomware cartel have been detained in Ukraine this week\r\nafter a joint operation from law enforcement agencies from Ukraine, South Korea, and the US.\r\nThe arrests, reported today by the Ukraine National Police and the country's Cyber Police division, come after\r\nauthorities conducted searches at 21 residences in Kyiv, the country's capital, and nearby regions.\r\nFollowing the operation, authorities reported that they successfully shut down server infrastructure used by the\r\ngang members to launch past attacks.\r\nComputers, smartphones, and server equipment were seized, together with 5 million Ukrainian hryvnias\r\n($185,000), which authorities believe were obtained from ransoming companies across the world.\r\nSeveral expensive cars, such as Tesla, Mercedes, and Lexus models, were also seized from the gang members'\r\nhomes.\r\nhttps://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/\r\nPage 1 of 4\n\nAuthorities said they arrested six members of the Clop group, but did not expand on their role in the overall Clop\r\ngang structure. If found guilty, the suspects face up to eight years in prison.\r\nA short history of Clop\r\nPrior to today's arrests, incidents with the Clop ransomware have been documented as early as February 2019.\r\nThe gang is what security researchers would call a \"big-game hunter,\" a term that describes ransomware groups\r\nthat go only after large IT networks rather than home consumers.\r\nAcross its more than two years of activity, the Clop gang has breached many large corporations and demanded\r\npayments of up to tens of millions of US dollars per victim.\r\nIf companies refused to pay, the Clop gang would resort to a double-extortion tactic and threaten to leak victims'\r\ndata on a dark web \"leak portal.\" The leak site is still up and running at the time of writing.\r\nhttps://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/\r\nPage 2 of 4\n\nA November 2020 Fox-IT report claimed the Clop gang had close ties to a malware distribution group known as\r\nTA505, which would often allow the gang's members to deploy Clop ransomware strains on computers previously\r\ninfected with the SDBbot malware.\r\nA February 2021 FireEye report also claimed the Clop gang appears to have struck a deal with the FIN11\r\ncybercrime group, allowing FIN11 operators to list data the group previously stole from hacked Accellion FTA\r\nfile-sharing devices.\r\nClop's South Korean victims get their revenge\r\nThe arrests come in investigations that started back in 2019 when the Clop ransomware gang breached four South\r\nKorean companies and encrypted their files, asking for huge payouts.\r\nSources close to the investigation have told The Record that South Korean police ramped up its investigation into\r\nthe gang last year after the Clop gang infected the network of South Korean e-commerce giant E-Land in\r\nNovember 2020, forcing the Korean company to close almost have of its stores.\r\nIn a rare practice, South Korean police officers were physically present during the raids on Clop suspects this\r\nweek, something that is customarily left to local law enforcement agencies.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nhttps://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/\r\nPage 3 of 4\n\nNo previous article\r\nNo new articles\r\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/\r\nhttps://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/" ], "report_names": [ "ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure" ], "threat_actors": [ { "id": "6728f306-6259-4e7d-a4ea-59586d90a47d", "created_at": "2023-01-06T13:46:39.175292Z", "updated_at": "2026-04-10T02:00:03.236282Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "TEMP.Warlock", "UNC902" ], "source_name": "MISPGALAXY:FIN11", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3f42c8f4-2cf1-4555-abff-b19852033aec", "created_at": "2023-11-08T02:00:07.099084Z", "updated_at": "2026-04-10T02:00:03.41336Z", "deleted_at": null, "main_name": "TA499", "aliases": [ "Vovan", "Lexus" ], "source_name": "MISPGALAXY:TA499", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434708, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/df241dc20054cd8ef53e709e0d69d2b5644eb061.pdf", "text": "https://archive.orkl.eu/df241dc20054cd8ef53e709e0d69d2b5644eb061.txt", "img": "https://archive.orkl.eu/df241dc20054cd8ef53e709e0d69d2b5644eb061.jpg" } }