Ukrainian police arrest a hacker group after stealing $500M from companies in South Korea and the US

Cyber Police in together with the National Police, law enforcement officers of the Republic of Korea and the United States of America, exposed a hacker group that stole $500 million from companies in South Korea and the United States.

As noted by the Ministry of Internal Affairs, with the help of the ransomware Clop, the hacker group encrypted the data from the Korean and the United States companies and later demanded money to restore access to files.

How the hacker group worked

The Cyber Police found that six defendants carried out attacks of malicious software such as ‘ransomware’ on the servers of American and South Korean companies. They demanded a ransom for decrypting the data, and in case of non-payment, they threatened to disclose the victims’ confidential data.

The hackers sent out emails with a malicious file, after opening which the program carried out a complete infection of the victims’ computers with the remotely controlled program Flawed Ammyy RAT. Using remote access, the hackers activated the Cobalt Strike malicious software, which provided information about the vulnerabilities of the infected servers for further exploitation.

Thus, in 2019, four Korean companies were attacked by the Clop ransomware virus. As a result, 810 internal servers and personal computers of employees were blocked. Also, in 2021, the defendants carried out an attack and encrypted the personal data of employees and financial reports of the Stanford University School of Medicine, the University of Maryland, and the University of California.

Unlike common ransomware attacks, which encrypt large numbers of unidentified personal computers and servers, these attacks targeted a specific victim’s computer network and infected the entire system. The total amount of losses is $500 million.

Law enforcement officers seized about UAH 500,000 in cash

As part of the criminal proceedings, law enforcement officers conducted 21 searches in the defendants’ homes and cars in Kyiv and nearby regions. Computer equipment, cars, about UAH 500,000 in cash, and the property were seized from the suspects.

The criminal proceedings have been opened under Part 2 of Art. 361 (Unauthorized interference with computers, automated systems, computer networks or telecommunication networks) and Part 2 of Art. 209 (Legalization (laundering) of property obtained by criminal means) of the Criminal Code of Ukraine. The defendants face up to eight years in prison. Investigation activities are ongoing.