{
	"id": "f5c2cda0-6836-4b6f-9229-e0cf6c4415cd",
	"created_at": "2026-04-06T00:20:03.563359Z",
	"updated_at": "2026-04-10T03:20:35.565695Z",
	"deleted_at": null,
	"sha1_hash": "fd8079f872d7696e6ff7d212bfbc214a34f8a115",
	"title": "Clop ransomware is back in business after recent arrests",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3213803,
	"plain_text": "Clop ransomware is back in business after recent arrests\r\nBy Lawrence Abrams\r\nPublished: 2021-06-23 · Archived: 2026-04-05 13:22:40 UTC\r\nThe Clop ransomware operation is back in business after recent arrests and has begun listing new victims on their data leak\r\nsite again.\r\nLast week, a law enforcement operation conducted by the National Police of Ukraine, the Korean National Police Agency,\r\nand the USA led to the arrest of Clop Ransomware gang members.\r\nA video shared by the Ukrainian police shows law enforcement searching homes and seizing property, including 500 million\r\nUkrainian hryvnias (approximately $180,000), computer equipment, documents, and high-end cars, such as Tesla and\r\nMercedes.\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-is-back-in-business-after-recent-arrests/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-is-back-in-business-after-recent-arrests/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nIn a press release, the Ukrainian police described the arrests as a significant blow against the operations and its money\r\nlaundering of ransom payments.\r\n\"Together, law enforcement has managed to shut down the infrastructure from which the virus spreads and block channels\r\nfor legalizing criminally acquired cryptocurrencies,\" said the press statement.\r\nClop reawakens\r\nWhile the Clop operation laid low for about a week, the ransomware gang has sprung back into action yesterday after\r\nreleasing the data for two new victims on their ransomware data leak site.\r\nAs explained by cybersecurity firm Intel 471, the continued ransomware operation is likely because last week's arrests\r\ntargeted the money laundering portion of the operation and that the core members were not apprehended.\r\n\"The law enforcement raids in Ukraine associated with CLOP ransomware were limited to the cash-out/money laundering\r\nside of CLOP's business only,\" Intel 471 said at the time of the arrests.\r\n\"We do not believe that any core actors behind CLOP were apprehended and we believe they are probably living in Russia.\r\n\"The overall impact to CLOP is expected to be minor although this law enforcement attention may result in the CLOP brand\r\ngetting abandoned as we've recently seen with other ransomware groups like DarkSide and Babuk.\"\r\nWhile Clop is back in action, law enforcement operations have dealt numerous blows to ransomware groups this year by\r\ntargeting affiliates and the infrastructure that fuels the criminal activities.\r\nEarlier this year, Bulgarian police seized servers belonging to the Netwalker ransomware, and Ukrainian police arrested\r\nEgregor ransomware members. Both ransomware operations shut down after the law enforcement action.\r\nMore recently, the FBI arrested a developer for the notorious TrickBot trojan responsible for developing a new ransomware\r\noperation.\r\nWho is Clop?\r\nThe Clop ransomware gang has been operating since March 2019, when it first began targeting the enterprise using a variant\r\nof the CryptoMix ransomware.\r\nClop will gain an initial foothold on a corporate computer to perform their attacks and then slowly spread throughout the\r\nnetwork while stealing data and documents. When they have harvested everything of value, they will deploy the ransomware\r\non the network to encrypt its devices.\r\nSince then, Clop has been responsible for numerous large-scale ransomware attacks, including those against Maastricht\r\nUniversity, Software AG IT, ExecuPharm, and Indiabulls.\r\nMore recently, Clop had been stealing data from Accellion FTA file transfer devices using a zero-day vulnerability and then\r\nthreatening to release the data if not paid $10 million or more.\r\nSome of the victims of Accellion attacks include energy giant Shell, cybersecurity firm Qualys, Flagstar Bank,\r\nthe University of Miami, and the University of California, to name a few.\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-is-back-in-business-after-recent-arrests/\r\nPage 3 of 4\n\nThe Ukrainian police estimate that Clop's total damages reach as high as $500 million. \r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/clop-ransomware-is-back-in-business-after-recent-arrests/\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-is-back-in-business-after-recent-arrests/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/clop-ransomware-is-back-in-business-after-recent-arrests/"
	],
	"report_names": [
		"clop-ransomware-is-back-in-business-after-recent-arrests"
	],
	"threat_actors": [],
	"ts_created_at": 1775434803,
	"ts_updated_at": 1775791235,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fd8079f872d7696e6ff7d212bfbc214a34f8a115.pdf",
		"text": "https://archive.orkl.eu/fd8079f872d7696e6ff7d212bfbc214a34f8a115.txt",
		"img": "https://archive.orkl.eu/fd8079f872d7696e6ff7d212bfbc214a34f8a115.jpg"
	}
}