Delaware, USA – February 21, 2020 – Croatia’s largest petrol station chain and biggest oil company, INA Group was hit by a cyberattack on Friday, February 14. Ransomware encrypted some of the company’s backend servers impacting its ability to register loyalty card use, allow customers to pay gas utility bills, issue invoices, issue new mobile vouchers, and issue new electronic vignettes. Fortunately, the company didn’t lose the ability to provide petrol fuel and handle payments. The INA Group apologizes to its customers for any inconvenience this situation may have caused and promises to inform in due time of the further development of the situation.
According to ZDNet’s article, the ransomware strain used in this attack is Clop ransomware, which was first discovered a year ago and is actively used in attacks against European organizations by the TA505 group. Other evidence also points to Clop ransomware’s involvement: shortly before the attack, researchers discovered a new command-and-control server associated with this strain, and new Clop samples were uploaded to VirusTotal last week. In addition to changes to the ransom note, attackers “taught” the malware to disable the McAfee Endpoint Security Platform and Malwarebytes Anti-Ransomware tools. The previous update was on New Year’s Eve, and it allowed the ransomware to terminate up to 633 processes including text editors, terminal software and Windows apps. You can learn more about the TA505 group and techniques they use in the MITRE ATT&CK section on Threat Detection Marketplace: https://tdm.socprime.com/att-ck/