Watch Now


Ransomware gang behind Utility, CSX attacks feels heat in Ukraine

Police arrest 6 alleged members of Clop, shut down infrastructure

Ukrainian and South Korea police at the home of an alleged member of the Clop ransomware gang. (Photo: National Police of Ukraine)

Ukrainian police have dealt a serious blow to the ransomware gang behind the cyberattacks in the U.S. transportation and logistics sector  — including the trailer maker Utility and rail operator CSX — arresting six alleged members of Clop and seizing cash, computers and cars.

The National Police of Ukraine said Wednesday it made the arrests as part of an operation with U.S. and South Korean law enforcement and Interpol. Beyond nabbing the alleged cybercriminals, police said they shut down the infrastructure used to stage the attacks. 

Clop’s attacks have cost its victims about $500 million, police said. The hackers targeted companies across the world — and publicly acknowledged many of its attacks through a leak site. It extorted companies through their initial attacks and the threat of leaking stolen data. 

Footage of Ukrainian and South Korea police raiding the homes of alleged members of the Clop ransomware gang.

The ransomware gang attempted to extort California-based Utility Trailer Manufacturing in May by leaking 5 gigabytes of stolen data to the dark web. In March, Clop took a similar approach with CSX Corp. (NASDAQ:CSX), leaking data that included personal information about current and former employees.


Clop also targeted Canadian fuel distributor Parkland. In addition, it claimed that it attacked Canadian trucking firm Boutin Express and Minnesota truck dealership Allstate Peterbilt, though neither company responded to requests for comments about the apparent attacks. 

It’s unclear if the operation, which included 21 raids in Ukraine’s capital, Kyiv, succeeded in shutting down Clop. The group’s dark web leak site was still online as of Wednesday morning.

It comes as international law enforcement turns on the heat on the criminals behind ransomware attacks. Last week, the U.S. Department of Justice announced it had seized most of the ransom paid to members of DarkSide by Colonial Pipeline. 

Click for more FreightWaves articles by Nate Tabak


Nate Tabak

Nate Tabak is a Toronto-based journalist and producer who covers cybersecurity and cross-border trucking and logistics for FreightWaves. He spent seven years reporting stories in the Balkans and Eastern Europe as a reporter, producer and editor based in Kosovo. He previously worked at newspapers in the San Francisco Bay Area, including the San Jose Mercury News. He graduated from UC Berkeley, where he studied the history of American policing. Contact Nate at ntabak@freightwaves.com.