South Korean retail giant E-Land Retail recently suffered a ransomware attack conducted by the Clop ransomware gang that forced it to shut 23 of its New Core and NC Department Store locations.
On 23rd November, E-Land Retail, which is a subsidiary of the E-Land Group, said it suffered a ransomware attack the previous day that targeted the "E-Land headquarters server" and forced the company to immediately shut down the affected server. This caused a number of retail stores to face operational disruption, the magnitude of which has not been disclosed by the company.
"Although this ransomware attack caused some damage to the company's network and systems, customer information and sensitive data are encrypted on a separate server. It is in a safe state because it is managed," said Chang-Hyun Seok, CEO of E-Land Retail.
"Currently, all employees of E-Land Retail and affiliates are striving to quickly recover from damage and normalize business. Most branches across the country have the first emergency measures. Basic sales activities are possible.
"We are responding thoroughly to avoid additional damage and customer inconvenience. We will notify you of the restoration progress in the future," he added.
Clop ransomware operators exfiltrated 2m credit card details using POS malware as well
Established in 1978, E-Land Retail operates a large number of departmental stores in South Korea and many other countries. Its departmental store brands include NC, New Core Mall, 2001.Outlet, and Donga and the company primarily retails cosmetics, apparel, shoes, books, home appliances, watches, glasses, bags, and a range of digital products.
At present, E-Land Retail operates forty-eight departmental stores in South Korea, including eighteen NC departmental stores, eight 2001.Outlet stores, seventeen NewCore Outlet stores, and five Donga departmental stores.
According to Bleeping Computer, the ransomware attack was launched by the Clop ransomware gang and forced E-Land Retail to "shut down 23 of its New Core and NC Department Store locations". That's not all, for the retailer's servers were, in fact, infiltrated by the ransomware gang over a year ago.
Prior to carrying out the ransomware attack, the Clop ransomware gang quietly infiltrated E-Land Retail's servers and inserted a Point-of-Sale malware in the company's network. This allowed them to exfiltrate about two million credit card details without attracting the company's attention. The details included credit card numbers, expiration dates, and other information but not CVV codes.
"Over a year ago, we hacked their network, everything is as usual. We thought what to do, installed POS malware, and left it for a year. Before the lock, the cards were collected and deciphered, for a whole year the company did not suspect and did nothing," the gang told Bleeping Computer.
Clop a more dangerous variant of the CryptoMix ransomware
This is not the first time that the Clop ransomware has been used to target a large organisation with a telling effect. According to cyber intelligence firm Infoblox, the Clop ransomware gang recently "demanded a 20+ million dollar ransom from one of the largest software companies in the world" and since early 2019, has been targeting large enterprise companies in the US, Germany, India, Mexico, Russia, and Turkey.
"Clop is a relatively new and dangerous variant of CryptoMix ransomware," the firm said, adding that upon execution, the ransomware terminates selected Windows processes and services, disables anti-virus software running on infected devices, exhibits digitally signed executables in an attempt to appear legitimate, and also creates a batch file that is designed to disable Windows startup repair and also remove any shadow volume copies.
"In the endgame, Clop appends the “.Clop” extension to each file and then leaves a ransom note, “ClopReadMe.txt,” in each folder. The Clop ransomware uses the RSA encryption algorithm and keeps keys stored on a remote and hidden server controlled by the Clop threat actors," the firm added.
Commenting on hackers infecting the same organisation with a POS malware as well as the Clop ransomware, Javvad Malik, security awareness advocate at KnowBe4, said many ransomware operators are now taking their time to understand their victim environments, navigating throughout the infrastructure to find valuable information that is worth stealing as well as gaining an understanding of what information is worth encrypting with ransomware, and how much they should charge.
"If the groups claims are to be believed, they had been inside the network for over a year. This is why it's important for organisations to try and prevent criminal gangs entering their environment to begin with by having good technical controls such as perimeter controls, patching software, MFA, and security awareness training amongst others.
"Similarly, it's important to have strong monitoring and threat detection controls in place so that any infiltration can be quickly and reliably detected so that remedial action can be taken," he added.