The hackers are demanding 1,580 Bitcoins amounting to $10.9M/€9.9M or from the victim of their ransomware attack.
Energy companies represent one of the most mission-critical businesses in an economy and naturally, their security is of paramount importance. But, as with every system, they can also be compromised. This is exactly what happened a couple of days ago when an energy giant was hit by a devastating ransomware attack.
Energias de Portugal (EDP), a Portuguese electric company that happens to be a European energy giant present in 19 countries and the 4th largest Wind producer globally with 11 million customers, was attacked by the Ragnar Locker ransomware.
Claiming to steal over 10 Terabytes of data; the attackers are demanding a sum of 1580 Bitcoins amounting to $10.9M/€9.9M or they will leak the data.
A post on Ragnarok’s website, the group behind the ransomware attack (sorry Thor fans) stated:
“Below just a couple of files and screenshots from your network only as a proof of possession! At this moment current post is a temporary, but it could become a permanent page and also we will publish this Leak in Huge and famous journals and blogs, also we will notify all your clients, partners and competitors. So it’s depend on you make it confidential or public !”
Here is a full preview of the post on the group’s website only accessible via Tor browser:
Although the majority of the data remains undisclosed at the moment, a few files have been leaked to signify the seriousness of their demands. One such file is named edpradmin2.kdb, a database of the KeePass password manager which contains the login credentials, accounts, URLs and notes of EDP employees.
This is dangerous since this data could be used to launch sophisticated spearphishing attacks on the company’s 11,000+ employees in the future not to mention the current threat at hand.
Coming to the discovery process, it was done by MalwareHuntTeam who found the ransomware sample used in the attack.
Forget to write yesterday: as frequently, in this case too the actors were in the victim's network for some time before running the RW. Obviously we can't tell from when they were in EDP's network, but it looks they already had some amount of files stolen on the 6th this month…
— MalwareHunterTeam (@malwrhunterteam) April 15, 2020
Alternatively, BleepingComputer found a ransom note (shown below) and the exact page on the dark web where the ransom payment details had been given.
As seen from the note, the attackers warns the company against using any third-party decryption software or even trying to modify the files as this would result in the loss of there files. On the other hand, they elaborate on the data leaked as well which includes transactions, billing, contracts, clients and partners. Further, a description is given of the process to get in touch with the attackers.
To conclude, we haven’t received an official response from EDP itself so it is unclear as to how they will proceed. “If you will contact us within 2 days since get penetrated – you can get a very SPECIAL PRICE.”, says the note.
With the amount of data under threat, they might as well have availed it considering the potential impact of the leak. As for the ransomware’s history, they have attacked managed service providers in the past along with demanding huge sums as well going up to $600,000 pointing to the fact that they are not new to this dirty game.