Luxury cars and $100 bills: Police bust ransomware gang in Ukraine


Police in Ukraine said Wednesday they arrested members of a major ransomware gang.

The arrests mark the first time a law enforcement agency has announced a mass arrest of a prolific hacker group that had extorted Americans by either encrypting an organization's files or threatening to leak them to the public. 

The gang, known as Cl0p, has hacked a number of American targets, including the University of Miami, Florida, Stanford University, University of Maryland, and University of Colorado, demanding a payment to either keep their systems functional or to not publish material they were able to steal.

The bust comes as ransomware has gone from a quietly pervasive cybersecurity problem to a broadly discussed national security issue, thanks to a series of high-profile attacks that have threatened to cripple some U.S. supply chains.

Ukrainian police officers have conducted 21 searches at the homes of defendants in the Kyiv region.via National Police of Ukraine

Ukraine's announcement coincided with President Joe Biden's meeting with Russian President Vladimir Putin in Geneva. Biden is expected to press Putin to take action against ransomware hackers who operate with impunity within Russia's borders.

Ransomware has become a significant problem in the United States. Recent ransomware attacks briefly hobbled the Colonial Pipeline, shutting down the country's largest fuel pipeline for five days, and JBS, one of the country's largest meat suppliers.

The majority of the most prolific ransomware gangs are believed to operate in Eastern Europe, and Russia in particular.

Ukraine's cyber police announced they had arrested six people involved with Cl0p, and seized a number of computers, cars and about 5 million Ukrainian hryvnia ($185,000) in cash.

A video released by Ukrainian authorities showed heavily armed officers descending on what appeared to be residences and seizing everything from stacks of cash and computers to luxury cars.

Though Cl0p wasn't the most prolific ransomware gang, it still hacked dozens of targets, mostly in the U.S. and South Korea, since becoming operational in the summer of 2020, said Allan Liska, a ransomware analyst at the cybersecurity company Recorded Future.

"While they weren’t considered a top-tier ransomware actor, their methods were fairly sophisticated," he said.

This is a developing story. Please check back for updates.