How Electricity Company with 12,000 employees got its complete network infected with ransomware?

Ransomware attack operators continue to diversify their methods. According to a report, the Portuguese multinational energy company Energias de Portugal (EDP) has just fallen victim to an encryption malware infection; Attackers reportedly used the dangerous variant of RagnarLocker ransomware, and demanded a $10 million payment to release the encrypted information.

Reports from MalwareHunterTeam cybersecurity specialists ensure that threat actors managed to extract more than 10 TB of confidential files from the Portuguese company, and threaten to expose them if the required payment is not received within a certain timeframe.

The alleged perpetrators of the attack also posted a message on Ragnarok, a site used by hackers to post leaked information: “We downloaded more than 10 TB of private information from EDP servers. Below you can find a couple of files and screenshots of the attacked network! This is just a sample, although we could also post the information in other blogs and online magazines,” the hackers say.

After analyzing the attack, MalwareHunterTeam identified that the hackers used the RagnarLocker attack variant. Moreover, the specialized BleepingComputer platform gained access to the ransom note received by the attacked company; In addition, tor’s payment page was discovered where hackers demand ransom payment.

The attackers left the ransom note on EDP systems, from where they were able to steal sensitive company information, including details about multiple transactions, such as billing, contracts, transactions, customers and partners. 

This ransomware variant was first identified in 2019, when it was used to attack multiple enterprise networks. RagnarLocker operators typically target software used by managed service providers, preventing their attacks from being identified.

So far it is not known whether the affected company will pay the ransom or if it will try to recover the information compromised by its own methods. However, it is known that the hackers offered the company a special price if they rush to contact them (or complete the payment within two days of the attack). Specialists fear that hackers will release the compromised information in case the company decides not to pay the ransom.