Ransomware Attack on EDP (Energias de Portugal)

Hackers demand €10 Million (US $11 Million) for massive amount of EDP’s data that they gained access to.

Cybercriminals have gained access to massive amount of EDP and EDPR’s data and threatened to publish them if their demanded of €10 Million (US $11 Million) is not met. EDP is a Lisbon, Portugal based utility company. EDPR is the renewable energy unit of EDP. Criminals use Ragnar Locker Ransomware to gain access to EDP’s corporate network. According to MSSP Alert Post, the hackers gained access to about 10 terabytes of EDPs data and threatened to either publish or sell them if their demand is not met in 20 days. It is still unknown what steps EDP has taken to investigate the attack or whether they have engaged the Managed Security Service Provider (MSSP) to mitigate the issue. EDP officials have told the local news media reporters that the attack has not affected their energy supply. EDP official has not clarified whether EDP intends to pay the ransom.

What is Ragnar Locker? It is the name of a ransomware-type software that is designed not only to encrypt data but also to terminate installed programs (like ConnectWise and Kaseya) that are commonly used by managed service providers and various Windows services. This ransomware renames encrypted files by appending an extension which contains "ragnar" and a string of random characters. For example, it renames a file named "1.jpg" to "1.jpg.ragnar_0DE48AAB", and so on. Also, it creates a ransom note, a text file. Its name contains the same string of random characters as the appointed extension does. In this case a ransom note would be named "RGNR_0DE48AAB.txt".

In a demand note, posted by Vitali Kremez, head of the Threat Intelligence Consultant at SentinalLabs, in his Twitter account, the hackers wrote, “There is only one possible way to get back your files. Contact us and pay for our special decryption key! For your guarantee we will decrypt 2 of your files for free as proof of our capabilities”. According to the post, the cybercriminals has gained “the most sensitive and confidential” information of EDP’s billing, clients, contacts, partners and transactions, which they threatened to “publish for everyone’s view. If you want to avoid such a harm for your reputation, better pay the amount we are asking for”.

According to James McQuiggan, a Security Awareness Advocate from KnowBe4, told news media that “Ragnar Locker’s general modus operandi is to charge a ransom of 25 bitcoin per system encrypted so by doing the math about 60 systems are involved in this attack. Even though this is a very high demand, it is believed Ragnar Locker knew it landed a big fish.” He also said, “With the current rate of one Bitcoin for about $7,000, it would seem like a very high amount for a consumer or small business trying to pay approximately $175,000 for one system. However, this group knew they got into a large enterprise organization, and whether it could pay or not, a negotiation of one BTC for each system, could still net them about $420,000,” In 2019 EDP has published a net revenue of about $14.5 billion, a number the attacker certainly knew about.

“With the current rate of one Bitcoin for about $7,000, it would seem like a very high amount for a consumer or small business trying to pay approximately $175,000 for one system. However, this group knew they got into a large enterprise organization, and whether it could pay or not, a negotiation of one BTC for each system, could still net them about $420,000,” In 2019 EDP has published a net revenue of about $14.5 billion, a number the attacker certainly knew about.

To make the situation more difficult EDP, the attacker has already published samples of data they have stolen and encrypted, which included a KeyPass password manager database and employee logins. At this point, declining to pay the ransom may not be possible in all cases considering the challenges EDP will have to face because of this. In addition to encrypting data, some hackers may threaten to release victim data on the internet, which will trigger compliance issue for EDP and potential government fines for it.