A security incident described as "a cyber-attack" has disrupted some business operations at INA Group, Croatia's biggest oil company, and its largest petrol station chain. According to the company’s security notice, the attacks began around 10 pm, local time, on February 14, 2020 and crippled the operations of some IT systems affecting the ability to issue invoices, new mobile vouchers and new electronic vignettes as well as to accept loyalty cards.

“Market supply is secure. Sales at our retail locations continue unhindered. All payments are secure, regardless of whether they are cash, INA or bank card,” the company said.

INA, d.d. is a Croatian multinational oil company with the Hungarian MOL Group and the Croatian Government as its biggest shareholders, while a minority of shares is owned by private and institutional investors.

While the company has not disclosed the additional details of the intrusion, according to ZDNet, which first brought attention to the news, “the cyber-attack is a ransomware infection that infected and then encrypted some of the company's backend servers”. According to a source familiar with the matter, the CLOP ransomware strain is suspected to be the culprit of the incident. Although INA has not confirmed the CLOP ransomware involvement in the attack, recent open-source reporting supports this theory. For example, hours before INA reported being infected, a Sophos malware analyst reported a new malware server going live and actively distributing a version of the CLOP ransomware.

Also, this week researchers spotted new versions of the CLOP ransomware on VirusTotal with one of them coming with the code to uninstall "McAfee Endpoint Security Platform".

The CLOP ransomware is designed to encrypt data and rename each file by appending the ".Clop" extension. Following successful encryption, CLOP generates a text file ("ClopReadMe.txt") and places a copy in every existing folder. The text file contains a ransom-demand message.

The CLOP ransomware was first spotted in February of 2019. Initially, it was just a CryptoMix ransomware variant that had many features common for other types of malware. However, in March, the ransomware changed its tactics and began disabling services for Microsoft Exchange, Microsoft SQL Server, MYSQL and other enterprise software. In November, a new variant of the ransomware emerged that tried to disable Windows Defender from running on local machines so that it could remain undetected after future signature updates.