E-Land Retail, a subsidiary of the E-Land Group conglomerate announced on 23 November of 2020 that it suffered a massive ransomware attack on its headquarter servers one day earlier. The company was forced to shut down the server in response, disrupting operations for 23 of its 50 retail outlets and businesses.
This continues the growing trend of multi-million dollar ransomware attacks perpetrated over the last decade.
Ransomware attacks typically rely on spreading as quickly and wildly as possible in the hopes of claiming more victims. However, E-Land claims its customer data is safe and unaffected as it’s stored on a separate server.
As per Chang-Hyun Seok, CEO of E-Land Retail – “Although this ransomware attack caused some damage to the company’s network and systems, customer information and sensitive data are encrypted on a separate server. It is in a safe state because it is managed”
He further added:
“Currently, all employees of E-Land Retail and affiliates are striving to quickly recover damage and normalize business. ost branches across the country have the first emergency measures.
Basic sales activities are possible.
“We are responding thoroughly to avoid additional damage and customer inconvenience. We will notify you of the restoration progress in the future.”
To date, E-Land has not released official estimates of what the hack has cost them in damages. However, despite assurances, Clop ransomware’s authors claimed to have stolen over 2 million credit card details from the hack over a period of 12 months. This raises concerns over how long E-Land’s servers have been compromised.
Who and what was responsible for the attack?
The E-Land ransomware attack has been attributed to the Clop ransomware hacker group that has perpetrated a number of high-profile attacks. Clop has been known to the security industry since February 2019. It’s considered to be a new and more dangerous variant of the well-known CryptoMix ransomware.
The malware gained notoriety when it demanded a 20 million ransom after successfully infiltrating the German firm, Software AG.
It mainly targets enterprise systems where it attempts to encrypt all files (using the RSA algorithm) and then demand ransoms for the decryption key. Files are appended with the “.crop” file extension and a “ClopReadMe.txt” file with instructions is placed in each affected folder.
Although it’s modus operandi is similar to other ransomware, it did utilize new and unknown techniques. One was to signing its packages to appear as a legitimate package to anti-malware programs. Clop has already been observed in various versions using new certificates to bypass security solutions once the previous certificate was revoked.
The virus also makes use of a number of other advanced techniques to avoid detection. It can even start/stop certain Windows processes and disable anti-virus software.