RagnarLocker Ransomware Hits EDP Energy Giant, Asks For €10M – Experts Comments

As reported by Bleeping Computer, attackers using the Ragnar Locker ransomware have encrypted the systems of Portuguese multinational energy giant Energias de Portugal (EDP) and are now asking for a 1580 BTC ransom ($10.9M or €9.9M). EDP Group is one of the largest European operators in the energy sector (gas and electricity) and the world’s 4th largest producer of wind energy. During the attack, the Ragnar Locker ransomware operators claim to have stolen over 10 TB of sensitive company files and they are now threatening the company to leak all the stolen data unless the ransom is paid.

Experts Comments

April 15, 2020
Rob Fitzsimons
A Field Applications Engineer
Telesoft Technologies
EDP’s span is so vast that suffering a data breach would have huge ramifications for its reputation. That’s why it and other critical national infrastructure suppliers are prime targets. When companies are held over a barrel, a $10.9 million (£8.57 million) ransom demand suddenly seems like a viable option. But, of course, there’s no guarantee that hackers will unencrypt data once ransoms have been paid – these aren’t typical business transactions governed by ethics. Defending.....Read More
EDP’s span is so vast that suffering a data breach would have huge ramifications for its reputation. That’s why it and other critical national infrastructure suppliers are prime targets. When companies are held over a barrel, a $10.9 million (£8.57 million) ransom demand suddenly seems like a viable option. But, of course, there’s no guarantee that hackers will unencrypt data once ransoms have been paid – these aren’t typical business transactions governed by ethics. Defending against ransomware, particularly a highly targeted strain such a RagnarLocker which undertakes comprehensive reconnaissance of its targets before it’s actually deployed, necessitates complete visibility into network traffic. Any irregular activity, no matter how seemingly insignificant, could be malicious actors carrying out the groundwork for future attacks, so they must be investigated. A strong human firewall is also essential. When employees know about the red flags of phishing attacks, for instance, they will be more vigilant with emails and comms that request they visit sites or click on links. This is even more crucial at the current time with many individuals working from home, without the security of corporate networks.  Read Less
April 16, 2020
Sam Curry
Chief Security Officer
Cybereason
Any successful breach, such as the one being reported against EDP, no matter the size and scope, have potentially catastrophic consequences if not contained. In this latest brazen ransomware attack, while details are scant, if the hackers were able to steal sensitive and confidential information on partners, billing procedures, contracts and other proprietary information, EDPs focus needs to be on doing everything humanly possible to secure that data. Having backups of their files and resuming.....Read More
Any successful breach, such as the one being reported against EDP, no matter the size and scope, have potentially catastrophic consequences if not contained. In this latest brazen ransomware attack, while details are scant, if the hackers were able to steal sensitive and confidential information on partners, billing procedures, contracts and other proprietary information, EDPs focus needs to be on doing everything humanly possible to secure that data. Having backups of their files and resuming regular business operations is low on their priority list during the first 24-48 hours of incident response measures. Recently, currency exchange company Travelex suffered a serious breach. its systems were locked for weeks and many of their customers had no choice but to turn to other companies for business. Similarly, EDP’s business is at risk the longer its systems are locked and its customers and partners are in limbo. It is my hope that EDP has this situation under control, and that other companies use this news as a wake-up call to immediately engage around the clock threat hunting services in order to root out suspicious behaviour before it becomes catastrophic. Companies can no longer rely solely on maintaining backup copies of files and security hygiene to keep crime actors at bay. Lastly, organisations should deploy advanced anti-ransomware technology to prevent the effective execution of ransomware and help to make cyber crime a less profitable and attractive business.  Read Less
April 16, 2020
Moreno Carullo
Co-founder and CTO
Nozomi Networks
Threatening to leak data is becoming increasingly popular among ransomware operators as we have witnessed with DoppelPaymer, Sodinokibi, and now, RagnarLocker. In the past, victims had their operations disrupted simply by Data Encrypted for Impact. Today many organisations have strategies in place to respond to such attacks, using backups for instance. For this reason, the most lucrative alternative employed by ransomware operators today is threatening the leak of sensitive data. Criminals.....Read More
Threatening to leak data is becoming increasingly popular among ransomware operators as we have witnessed with DoppelPaymer, Sodinokibi, and now, RagnarLocker. In the past, victims had their operations disrupted simply by Data Encrypted for Impact. Today many organisations have strategies in place to respond to such attacks, using backups for instance. For this reason, the most lucrative alternative employed by ransomware operators today is threatening the leak of sensitive data. Criminals are explicitly looking for targets holding sensitive data and the more important the data the more leverage they can exercise on the victims. The leak of sensitive data can cause a variety of severe consequences for the affected organisation, including loss of intellectual property, which is extremely valuable for those that are R&D-focused, for example. Victim companies also have to deal with the economical and reputational impact of leaks due to data protection regulations, making the attacker's leverage even stronger. If organisations want to avoid falling victim to this kind of attack, they should look to employ network segmentation. In essence, this separates the most crucial parts of the network, so it's more difficult for adversaries to get in.  Read Less
April 17, 2020
Kelvin Murray
Senior Threat Research Analyst
Webroot
This tactic of holding the confidentiality of the corporate data itself to ransom is still relatively new, and the energy sector has been a particular target of “big game” ransomware cybercriminals in the last year. Ransomware criminals look for the most essential services to lock-up as paying a ransom might be considered the safer option than facing the consequences of lost power for millions of people for an indefinite period. These gangs are highly organized and they select their.....Read More
This tactic of holding the confidentiality of the corporate data itself to ransom is still relatively new, and the energy sector has been a particular target of “big game” ransomware cybercriminals in the last year. Ransomware criminals look for the most essential services to lock-up as paying a ransom might be considered the safer option than facing the consequences of lost power for millions of people for an indefinite period. These gangs are highly organized and they select their targets wisely. Once they have breached an organization they look to encrypt as many of the operating systems as possible and consequently they charge extremely high ransoms, easily running into the millions. Senior leaders within EDP will currently be working out the the potential impact of the release of their confidential data to the business, including the potential loss of credibility, loss of business, intellectual property loss, GDPR fines, and weighing that up against the cost of paying the ransom.  Read Less
April 17, 2020
Andrea Carcano
Co-founder and CPO
Nozomi Networks
Threatening to leak data is becoming increasingly popular among ransomware operators as we have witnessed with DoppelPaymer, Sodinokibi, and now, Ragnar Locker. In the past, victims had their operations disrupted simply by Data Encrypted for Impact. Today many organisations have strategies in place to respond to such attacks, using backups for instance. For this reason, the most lucrative alternative employed by ransomware operators today is threatening the leak of sensitive data. Criminals.....Read More
Threatening to leak data is becoming increasingly popular among ransomware operators as we have witnessed with DoppelPaymer, Sodinokibi, and now, Ragnar Locker. In the past, victims had their operations disrupted simply by Data Encrypted for Impact. Today many organisations have strategies in place to respond to such attacks, using backups for instance. For this reason, the most lucrative alternative employed by ransomware operators today is threatening the leak of sensitive data. Criminals are explicitly looking for targets holding sensitive data and the more important the data the more leverage they can exercise on the victims. The leak of sensitive data can cause a variety of severe consequences for the affected organisation, including loss of intellectual property, which is extremely valuable for those that are R&D-focused, for example. Victim companies also have to deal with the economical and reputational impact of leaks due to data protection regulations, making the attacker's leverage even stronger.  Read Less
April 17, 2020
Martin Jartelius
CSO
Outpost24
It is a situation you would wish for no one to be in, and it is yet again a testament for the need for defense-in-depth, and where applicable not using credentials and permissions in such a way that access in the domain reaches so far so fast. If the claim of 10 TB exfiltrated data holds true the exfiltration alone must have been ongoing for a large amount of time. There are many means by which this could have been detected, responded to and likely also avoided, but there is little value to.....Read More
It is a situation you would wish for no one to be in, and it is yet again a testament for the need for defense-in-depth, and where applicable not using credentials and permissions in such a way that access in the domain reaches so far so fast. If the claim of 10 TB exfiltrated data holds true the exfiltration alone must have been ongoing for a large amount of time. There are many means by which this could have been detected, responded to and likely also avoided, but there is little value to speculate regarding that, the best others can do is learn from it and take preventive measures.  Read Less
April 16, 2020
Carl Wearn
Head of E-Crime
Mimecast
This attack again highlights the fact that ransomware does not discriminate, and it can affect any business across any industry. This is why it’s crucial that all businesses prepare for the possibility of a ransomware attack happening to them and that they implement strong resilience measures so that they are in the best position to recover effectively in case the worst happens. Having contingency plans in place is critical at a time when ransomware attacks against large companies are.....Read More
This attack again highlights the fact that ransomware does not discriminate, and it can affect any business across any industry. This is why it’s crucial that all businesses prepare for the possibility of a ransomware attack happening to them and that they implement strong resilience measures so that they are in the best position to recover effectively in case the worst happens. Having contingency plans in place is critical at a time when ransomware attacks against large companies are becoming a regular theme. Remediation of any ransomware infection is likely to be significantly more difficult to remediate in any jurisdiction experiencing a period of lockdown or distancing measures. It may well slow any organisational response and require significant replacement of assets rather than allowing an effective segregation of impacted machines. I cannot overstate the critical importance of individual’s awareness of threats and strong cyber hygiene during the current pandemic and with entire workforces working from home. Please ensure that whenever possible you avoid using your work devices for personal use, or letting children or partners use work devices they are unfamiliar with. Other measures such as always using strong unique passwords, not clicking links or attachments in unsolicited emails, ensuring your firewall is on, the use of encrypted communications via your router and the use of any workplace VPN are also of critical importance when away from the office. Lastly, please do make use of multi-factor authentication whenever available. In addition to maintaining the security of your work network, these measures may also save you from becoming a victim.  Read Less
April 16, 2020
Jake Moore
Cybersecurity Specialist
ESET
With companies reportedly paying attackers eyewatering amounts recently, nothing shocks me and I wouldn’t be surprised if more businesses continued to meet hackers’ demands. If targeted companies pay such ransoms, they are purely fueling the cybercrime business cycle and funding further attacks. Furthermore, once data has been stolen, larger threats are usually thrown on the table and it can take a different direction. Once a company pays a ransom to prevent their data being released,.....Read More
With companies reportedly paying attackers eyewatering amounts recently, nothing shocks me and I wouldn’t be surprised if more businesses continued to meet hackers’ demands. If targeted companies pay such ransoms, they are purely fueling the cybercrime business cycle and funding further attacks. Furthermore, once data has been stolen, larger threats are usually thrown on the table and it can take a different direction. Once a company pays a ransom to prevent their data being released, there is nothing to say the criminals won’t come back with further demands. Protective measures are difficult to weigh in reactively, so this attack is all about preparation. Simulations of a ransomware attack can help to discover where a company’s weaknesses are and proactively protect them.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.