S ome operations at INA Group, Croatia’s biggest oil company, and its largest petrol station chain were disrupted by a cyber attack.

A ransomware attack has disrupted operations at INA Group, Croatia’s biggest oil company, and its largest petrol station chain.

INA, d.d. is a stock company with the Hungarian MOL Group and the Croatian Government as its biggest shareholders, while a minority of shares is owned by private and institutional investors.

The company was not able to issue invoices and accept loyalty cards as a result of the attack that took place last Friday, on February 14, at 22:00, local time.

“The INA Group is under cyber-attack, which began around 10 pm on February 14, 2020, causing problems in the operation of certain IT systems, which can occasionally affect normal operation, such as issuing mobile phone vouchers, electronic vignettes, paying utility bills.” reads a security breach notice published by the company on its website. “Market supply is secure. Fuel sales at our retail locations continue unhindered. All payments are secure, whether it is a cash payment, an INA card or a bank card. INA is taking steps to remedy the system’s hassle.”

After the security breach, the company was still able to provide petrol fuel to its customers and to handle payments.

“Multiple sources have told ZDNet the cyber-attack is a ransomware infection that infected and then encrypted some of the company’s backend servers.” states ZDNet that first reported the issue.

“It did, however, impact its ability to issue invoices, register loyalty card use, issue new mobile vouchers, issue new electronic vignettes, and allow customers to pay gas utility bills (INA is also a natural gas provider in Croatia).”

The company announced it was working to restore all systems.

ZDNet, citing a source familiar with the incident, speculates the involvement of CLOP ransomware in the attack.

This family of ransomware involved in the attack was also spotted by researcher Vitali Kremez in December 2019. The malware targets Windows systems and attempts to disable security products running on the infected systems.

The malicious code executes a small program, just before starting the encryption process, to disable security tools running on the infected systems that could detect its operations.

The Clop ransomware also attempted to disable the Windows Defender by configuring the registry values associated with this defense feature

Pierluigi Paganini