RagnarLocker Ransomware Hits EDP Energy Giant, Asks For €10M – Experts Comments

As reported by Bleeping Computer, attackers using the Ragnar Locker ransomware have encrypted the systems of Portuguese multinational energy giant Energias de Portugal (EDP) and are now asking for a 1580 BTC ransom ($10.9M or €9.9M). EDP Group is one of the largest European operators in the energy sector (gas and electricity) and the world’s 4th largest producer of wind energy. During the attack, the Ragnar Locker ransomware operators claim to have stolen over 10 TB of sensitive company files and they are now threatening the company to leak all the stolen data unless the ransom is paid.

Subscribe
Notify of
guest

8 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Kelvin Murray
Kelvin Murray , Senior Threat Research Analyst
InfoSec Expert
April 17, 2020 1:10 pm

This tactic of holding the confidentiality of the corporate data itself to ransom is still relatively new, and the energy sector has been a particular target of “big game” ransomware cybercriminals in the last year.

Ransomware criminals look for the most essential services to lock-up as paying a ransom might be considered the safer option than facing the consequences of lost power for millions of people for an indefinite period. These gangs are highly organized and they select their targets wisely. Once they have breached an organization they look to encrypt as many of the operating systems as possible and consequently they charge extremely high ransoms, easily running into the millions.

Senior leaders within EDP will currently be working out the the potential impact of the release of their confidential data to the business, including the potential loss of credibility, loss of business, intellectual property loss, GDPR fines, and weighing that up against the cost of paying the ransom.

Last edited 2 years ago by Kelvin Murray
Andrea Carcano
Andrea Carcano , Co-founder and CPO
InfoSec Expert
April 17, 2020 1:06 pm

Threatening to leak data is becoming increasingly popular among ransomware operators as we have witnessed with DoppelPaymer, Sodinokibi, and now, Ragnar Locker.

In the past, victims had their operations disrupted simply by Data Encrypted for Impact. Today many organisations have strategies in place to respond to such attacks, using backups for instance. For this reason, the most lucrative alternative employed by ransomware operators today is threatening the leak of sensitive data. Criminals are explicitly looking for targets holding sensitive data and the more important the data the more leverage they can exercise on the victims.

The leak of sensitive data can cause a variety of severe consequences for the affected organisation, including loss of intellectual property, which is extremely valuable for those that are R&D-focused, for example. Victim companies also have to deal with the economical and reputational impact of leaks due to data protection regulations, making the attacker\’s leverage even stronger.

Last edited 2 years ago by Andrea Carcano
Martin Jartelius
Martin Jartelius , CSO
InfoSec Expert
April 17, 2020 1:04 pm

It is a situation you would wish for no one to be in, and it is yet again a testament for the need for defense-in-depth, and where applicable not using credentials and permissions in such a way that access in the domain reaches so far so fast. If the claim of 10 TB exfiltrated data holds true the exfiltration alone must have been ongoing for a large amount of time.
There are many means by which this could have been detected, responded to and likely also avoided, but there is little value to speculate regarding that, the best others can do is learn from it and take preventive measures.

Last edited 2 years ago by Martin Jartelius
Sam Curry
Sam Curry , Chief Security Officer
InfoSec Expert
April 16, 2020 1:46 pm

Any successful breach, such as the one being reported against EDP, no matter the size and scope, have potentially catastrophic consequences if not contained. In this latest brazen ransomware attack, while details are scant, if the hackers were able to steal sensitive and confidential information on partners, billing procedures, contracts and other proprietary information, EDPs focus needs to be on doing everything humanly possible to secure that data. Having backups of their files and resuming regular business operations is low on their priority list during the first 24-48 hours of incident response measures.

Recently, currency exchange company Travelex suffered a serious breach. its systems were locked for weeks and many of their customers had no choice but to turn to other companies for business. Similarly, EDP’s business is at risk the longer its systems are locked and its customers and partners are in limbo. It is my hope that EDP has this situation under control, and that other companies use this news as a wake-up call to immediately engage around the clock threat hunting services in order to root out suspicious behaviour before it becomes catastrophic. Companies can no longer rely solely on maintaining backup copies of files and security hygiene to keep crime actors at bay. Lastly, organisations should deploy advanced anti-ransomware technology to prevent the effective execution of ransomware and help to make cyber crime a less profitable and attractive business.

Last edited 2 years ago by Sam Curry
Moreno Carullo
Moreno Carullo , Co-founder and CTO
InfoSec Expert
April 16, 2020 1:40 pm

Threatening to leak data is becoming increasingly popular among ransomware operators as we have witnessed with DoppelPaymer, Sodinokibi, and now, RagnarLocker.

In the past, victims had their operations disrupted simply by Data Encrypted for Impact. Today many organisations have strategies in place to respond to such attacks, using backups for instance. For this reason, the most lucrative alternative employed by ransomware operators today is threatening the leak of sensitive data. Criminals are explicitly looking for targets holding sensitive data and the more important the data the more leverage they can exercise on the victims.

The leak of sensitive data can cause a variety of severe consequences for the affected organisation, including loss of intellectual property, which is extremely valuable for those that are R&D-focused, for example. Victim companies also have to deal with the economical and reputational impact of leaks due to data protection regulations, making the attacker\’s leverage even stronger.

If organisations want to avoid falling victim to this kind of attack, they should look to employ network segmentation. In essence, this separates the most crucial parts of the network, so it\’s more difficult for adversaries to get in.

Last edited 2 years ago by Moreno Carullo
Information Security Buzz
8
0
Would love your thoughts, please comment.x
()
x