Lock on red screen and two hands typing on a keyboard showing Clop ransomware attack and POS malware

Clop Ransomware Encrypts E-Land Retail Computers After Stealing 2 Million Credit Card Details Using POS Malware

Clop ransomware gang exfiltrated credit card data from a major South Korean retailer E-Land for more than a year before executing a surprise ransomware attack on the company.

The group installed a POS malware on the retailer’s server, stealing more than 2 million credit cards before executing the November 22 attack that forced E-Land to shut down 23 store locations.

Headquartered in Changjeon-dong, Mapo-gu, Seoul, E-Land Retail is a subsidiary of E-Land Global. The retailer operates several outlets globally and in South Korea, including the New Core and NC Department Store affected by the attack.

Clop ransomware gang exfiltrated 2 million credit card details using POS malware

The cybercrime gang took responsibility for the ransomware attack that forced E-Land to shut down multiple outlets.

However, the ransomware operator had persistence on the company’s systems for more than a year. Operators of Clop ransomware reportedly installed a POS malware that exfiltrated over 2 million credit card details before executing the ransomware attack, according to BleepingComputer.

“Over a year ago, we hacked their network, everything is as usual,” Clop gang told Bleeping Computer. “We thought what to do, installed POS malware, and left it for a year.”

According to the attackers, E-Land did not suspect that its systems were leaking data from a POS malware before the Nov 22 ransomware attack.

POS malware scans the memory of POS terminals during transactions. Once it detects credit card details, the POS malware copies the data as either Track 1 or Track 2 data before posting it to the hackers’ command-and-control servers.

Details exfiltrated from E-Land’s servers

Clop POS malware stole credit card numbers and expiration dates but failed to capture CVVs. Thus, they could not use the stolen credit cards’ details to complete fraudulent transactions. Instead, they could create fake cards to defraud brick and motor stores.

E-land acknowledged the attack in a statement posted the day the Clop ransomware attack was reported. The retailer also clarified that sensitive customers’ details were safe because they were encrypted on a separate server.

Additionally, E-Land contacted the law enforcement authorities and opened an investigation into the breach.

Clop ransomware among the most potent threats

MalwareHunterTeam first detected Clop Ransomware, a more potent Cryptomix variant, in February 2019. Since then, the Clop ransomware has targeted several companies in Germany, India, Mexico, Russia, Turkey, and the United States.

Clop ransomware gang operates on the “double extortion” strategy, dumping the stolen data in underground hacking forums if the victims refuse to pay.

In April, the threat actor compromised ExecuPharm and reportedly leaked the stolen data when the biotech firm ignored its ransom demands.

Clop ransomware gang also targeted the German tech behemoth Software AG in October 2020. The operators demanded a $23 million ransom, threatening to dump stolen data if the ransom was not paid.

Clop ransomware, alongside Conti, Ragnar Locker, Maze, and other threat actors, has been aggressively targeting remote workers during the COVID-19 work-from-home period.

Commenting on E-Land’s ransomware attack, Bill Santos, Cerberus Sentinel President and COO said.

“E-Land’s approach to data security, on top of a secure perimeter strategy, is an essential part of a complete security strategy. It is naïve to assume you’ll keep all attackers out of your environment; you should build a data security model that assumes external penetration, yet protects critical and confidential data with another level of security and response.”