The Clop ransomware group is at it again. On Thursday, the gang claimed that it stole 2 million credit cards from South Korean retailer E-Land over a one-year period, in a campaign that culminated with a ransomware attack on the company’s headquarters in November.
Operators of Clop ransomware reportedly said that they were responsible for the November attack that forced E-Land — a subsidiary of E-Land Global — to shut down 23 of its New Core and NC Department Store locations.
But the group had infiltrated the organization long before that, and was already stealing data before the attack using point-of-sale (POS) malware it had installed on the network, operators said in a Bleeping Computer interview posted Thursday.
“Over a year ago, we hacked their network, everything is as usual,” the group told Bleeping Computer. “We thought what to do, installed POS malware and left it for a year.”
The group claimed that the company did not suspect it was leaking data and seemed taken by surprise by the Clop ransomware attack on Nov. 22, which forced E-Land to suspend operations at nearly half of its stores in South Korea, according to the report.
E-Land acknowledged that a ransomware attack against the company’s headquarters server not only forced some store closures but also caused some damage to E-Land’s network and systems, in a statement on its website posted the day of the attack. E-Land immediately shut down the server to prevent further damage, the company said.
However, customer information and sensitive data were safe from the attack because these “are encrypted on a separate server,” the company said at the time. “It is in a safe state because it is managed.”
E-Land began working with authorities immediately after the attack to recover damage, according to an investigation and recovery that is ongoing.
The Clop ransomware gang was first discovered in February 2019 by MalwareHunterTeam and since then has been a persistent threat with a particularly potent modus operandi. Clop uses a tactic called “double extortion,” which means it steals the data and then if the victim doesn’t meet ransom demands, dumps it on underground criminal forums for anyone to access.
The group’s last major known attack happened in October, when it targeted Software AG, a German conglomerate with operations in more than 70 countries, and demanded a massive $23 million ransom, threatening to dump stolen data if the company didn’t pay.
In April, the Clop gang struck biopharmaceutical company ExecuPharm and reportedly leaked some of the company’s compromised data on cybercriminal forums after the ransom went unpaid.
Clop and other ransomware groups such as Conti, Ragnar Locker, Maze and others have been taking major advantage of the move to a remote workforce during the COVID-19 pandemic.
Security holes plague many organizations that were unprepared for the move, and threat actors have been attacking vulnerable systems and zero-day flaws with abandon.
The threat is so great that ransomware and subsequent extortion tactics by cybercriminals are among the leading threats on the horizon for 2021, largely due to the fallout from the pandemic, researchers from Kaspersky said in a predictive report posted last week.
Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back.
Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and other security experts, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.