As reported by Bleeping Computer, attackers using the Ragnar Locker ransomware have encrypted the systems of Portuguese multinational energy giant Energias de Portugal (EDP) and are now asking for a 1580 BTC ransom ($10.9M or €9.9M). EDP Group is one of the largest European operators in the energy sector (gas and electricity) and the world’s 4th largest producer of wind energy. During the attack, the Ragnar Locker ransomware operators claim to have stolen over 10 TB of sensitive company files and they are now threatening the company to leak all the stolen data unless the ransom is paid.
This tactic of holding the confidentiality of the corporate data itself to ransom is still relatively new, and the energy sector has been a particular target of “big game” ransomware cybercriminals in the last year.
Ransomware criminals look for the most essential services to lock-up as paying a ransom might be considered the safer option than facing the consequences of lost power for millions of people for an indefinite period. These gangs are highly organized and they select their targets wisely. Once they have breached an organization they look to encrypt as many of the operating systems as possible and consequently they charge extremely high ransoms, easily running into the millions.
Senior leaders within EDP will currently be working out the the potential impact of the release of their confidential data to the business, including the potential loss of credibility, loss of business, intellectual property loss, GDPR fines, and weighing that up against the cost of paying the ransom.
Threatening to leak data is becoming increasingly popular among ransomware operators as we have witnessed with DoppelPaymer, Sodinokibi, and now, Ragnar Locker.
In the past, victims had their operations disrupted simply by Data Encrypted for Impact. Today many organisations have strategies in place to respond to such attacks, using backups for instance. For this reason, the most lucrative alternative employed by ransomware operators today is threatening the leak of sensitive data. Criminals are explicitly looking for targets holding sensitive data and the more important the data the more leverage they can exercise on the victims.
The leak of sensitive data can cause a variety of severe consequences for the affected organisation, including loss of intellectual property, which is extremely valuable for those that are R&D-focused, for example. Victim companies also have to deal with the economical and reputational impact of leaks due to data protection regulations, making the attacker\’s leverage even stronger.
It is a situation you would wish for no one to be in, and it is yet again a testament for the need for defense-in-depth, and where applicable not using credentials and permissions in such a way that access in the domain reaches so far so fast. If the claim of 10 TB exfiltrated data holds true the exfiltration alone must have been ongoing for a large amount of time.
There are many means by which this could have been detected, responded to and likely also avoided, but there is little value to speculate regarding that, the best others can do is learn from it and take preventive measures.
Any successful breach, such as the one being reported against EDP, no matter the size and scope, have potentially catastrophic consequences if not contained. In this latest brazen ransomware attack, while details are scant, if the hackers were able to steal sensitive and confidential information on partners, billing procedures, contracts and other proprietary information, EDPs focus needs to be on doing everything humanly possible to secure that data. Having backups of their files and resuming regular business operations is low on their priority list during the first 24-48 hours of incident response measures.
Recently, currency exchange company Travelex suffered a serious breach. its systems were locked for weeks and many of their customers had no choice but to turn to other companies for business. Similarly, EDP’s business is at risk the longer its systems are locked and its customers and partners are in limbo. It is my hope that EDP has this situation under control, and that other companies use this news as a wake-up call to immediately engage around the clock threat hunting services in order to root out suspicious behaviour before it becomes catastrophic. Companies can no longer rely solely on maintaining backup copies of files and security hygiene to keep crime actors at bay. Lastly, organisations should deploy advanced anti-ransomware technology to prevent the effective execution of ransomware and help to make cyber crime a less profitable and attractive business.
Threatening to leak data is becoming increasingly popular among ransomware operators as we have witnessed with DoppelPaymer, Sodinokibi, and now, RagnarLocker.
In the past, victims had their operations disrupted simply by Data Encrypted for Impact. Today many organisations have strategies in place to respond to such attacks, using backups for instance. For this reason, the most lucrative alternative employed by ransomware operators today is threatening the leak of sensitive data. Criminals are explicitly looking for targets holding sensitive data and the more important the data the more leverage they can exercise on the victims.
The leak of sensitive data can cause a variety of severe consequences for the affected organisation, including loss of intellectual property, which is extremely valuable for those that are R&D-focused, for example. Victim companies also have to deal with the economical and reputational impact of leaks due to data protection regulations, making the attacker\’s leverage even stronger.
If organisations want to avoid falling victim to this kind of attack, they should look to employ network segmentation. In essence, this separates the most crucial parts of the network, so it\’s more difficult for adversaries to get in.