Threat Group Siphoned Payment Cards All Year, Finishes with Ransomware Attack
Cybercriminals claimed responsibility for harvesting two million credit cards from retailer E-Land. In addition, the hackers further compromised the company with a ransomware attack which shut down some retail stores.
Threat actors from TA505 claimed responsibility for stealing 2 million credit cards from South Korean retailer E-Land. The attackers infected the retailer’s point-of-sale (POS) system with malware that went undetected for the entire year.
The attackers then ended their credit card nicking malware campaign with a ransomware attack in November. The attackers used Clop ransomware which forced E-Land to shut down 23 retail locations.
No customer data was compromised in the ransomware attack.
The threat group behind Clop ransomware is tracked by security researchers as TA505. The Russian cybercriminals are also tracked by the monikers of sector J04 GROUP, GRACEFUL SPIDER, and GOLD TAHOE.
“Over a year ago, we hacked their network, everything is as usual,” the group told Bleeping Computer. “We thought what to do, installed POS malware and left it for a year.”
Clop ransomware is a variant of CryptoMix ransomware. The ransomware encrypts the victim’s files using .clop file extensions. Another sign the clap ransomware is behind an attack is the use of the text “Dont Worry C|0P” in ransomware messages.
This ransomware also attempts to disable systems protected by Windows Defender and remove Microsoft Security Essentials to avoid detection.
In October 2019, the TA505 threat group attacked Germany’s second-largest software vendor, Software AG, with ransomware. Employees’ personal information and confidential files from the company’s internal network were compromised. The attackers demanded more than $20M USD in ransom to release control of the encrypted data.
TA505 Is also the same threat group responsible for Dridex banking Trojan and Locky ransomware as well as the Philadelphia and GlobeImposter ransomware families. They have attacked enterprise organizations in the United States, Germany, India, Mexico, Russia, and Turkey.
The attackers use a common high-pressure tactic to coerce the victim into paying the ransom. TA505 released potions of the compromised Software AG data on the dark web to force them into paying. Ultimately, the company fixed the issue themselves and did not pay the ransom.