INA Group ransomware attack

On the evening of 14 February 2020, INA Group — Croatia's largest oil company and operator of its biggest petrol-station chain — was struck by a ransomware attack that encrypted several of its backend IT servers. INA is majority-influenced by Hungary's MOL Group and the Croatian government as its two largest shareholders.

What happened

At roughly 22:00 local time, the Clop ransomware encrypted parts of INA's corporate infrastructure. Clop, first seen in 2019, was actively deployed against European organizations by the financially-motivated threat group TA505. The malware is known to disable security products — including Windows Defender — by altering registry values before it begins encrypting files.

The attack hit back-office systems rather than the point-of-sale terminals that handle fuel purchases. As a result, INA stressed that customers could still buy fuel and pay with cash, INA cards, and bank cards at its stations.

Impact

The encryption knocked out a range of customer-facing and administrative services:

Loyalty-card registration and use
Invoice issuance
Mobile-phone voucher sales
Electronic vignette (motorway toll sticker) issuance
Gas-utility bill payments

INA said it was "taking steps to remedy" the disruption and worked to restore the affected systems. The company did not publicly confirm a ransom demand or whether any payment was made.

Why it matters

The INA incident was a prominent example of ransomware striking critical energy infrastructure in Central and Eastern Europe, and it illustrated a recurring lesson: even when operational technology and payment rails stay online, the loss of back-office IT — billing, loyalty, vouchers, statutory e-vignettes — degrades a national-scale service and erodes customer trust.

It also fit the broader TA505 / Clop campaign that targeted large European enterprises in 2019-2020, foreshadowing the group's later pivot to data-theft-plus-extortion tactics, most notably the mass exploitation of the MOVEit file-transfer tool in 2023. For Croatia, the attack on a strategically important, partly state-owned energy company sharpened government and industry attention on protecting essential services against ransomware.

Timeline

February 14, 2020

At around 22:00 local time, Clop ransomware encrypts several of INA Group's backend servers.

February 15, 2020

INA confirms a cyberattack disrupted parts of its business and says fuel sales and payment processing continue normally.

February 15, 2020

Loyalty-card registration, invoice issuance, mobile-voucher sales, e-vignette issuance and gas-utility bill payments are disrupted.

February 24, 2020

INA continues remediation as researchers attribute the attack to the Clop strain associated with the TA505 group.

Sources

securityaffairs.comhttps://securityaffairs.com/98203/malware/ina-group-ransomware-attack.html

socprime.comhttps://socprime.com/news/ransomware-attack-stymies-operations-of-ina-group/

cybersecurity-help.czhttps://www.cybersecurity-help.cz/blog/957.html

businessinsurance.comhttps://www.businessinsurance.com/article/20200224/STORY/912333193/Croatias-largest-oil-firm-suffers-cyber-attack

Related incidents

RansomwareRansom paidJuly 23, 2020

Garmin WastedLocker ransomware (Evil Corp)

Evil Corp deployed the WastedLocker ransomware against Garmin, taking flyGarmin aviation services, Garmin Connect, and inReach satellite messaging offline for five days. Garmin paid an estimated $10M ransom despite OFAC sanctions on Evil Corp.

Victim: Garmin Ltd.
Loss: $30.0M

RansomwareRansom paidDecember 23, 2019

Maastricht University Clop ransomware (Netherlands, 2019)

TA505 used Clop ransomware to encrypt 267 Maastricht University servers over Christmas 2019 after two phishing emails on 15–16 October had compromised the network. The university paid 30 BTC (~$220,000). The ransom Bitcoin — later seized from a money mule — was returned and had appreciated, leaving the university ahead by ~$300,000.

Victim: Maastricht University
Loss: $220.0K

RansomwareResolvedSeptember 7, 2020

K-Electric NetWalker ransomware attack

NetWalker ransomware crippled the billing and online systems of Karachi's sole electricity supplier and demanded a $3.85 million ransom that would double to $7.7 million; when K-Electric refused, the gang dumped an 8.5 GB archive of stolen data online.

Victim: K-Electric

RansomwareUnknownApril 21, 2026

Engie: a cyberattack claimed by a ransomware group

In April 2026, the Coinbase Cartel extortion group listed French energy giant Engie on its dark web leak site, claiming to have stolen sensitive data and threatening to publish a full dump unless a ransom was paid; Engie did not publicly confirm the breach.

Victim: Engie