Cybersecurity Threat Advisory 0028-20: RagnarLocker Ransomware Hits EDP Energy Giant
Energy giant EDP was recently hit with RagnarLocker ransomware. The hacking group claiming responsibility is threatening to leak 10 TB of stolen data online, including personal information such as a password manager database if a ransom of almost $11M USD is not paid. SKOUT advises companies to review their cyber hygiene, especially those in the energy sector. Specific recommendations are included below.
Technical detail and additional information
What is the threat?
Portuguese multinational energy company Energias de Portugal (EDP) has been affected by the “Ragnar Locker” ransomware, and the attackers are demanding exorbitant sums of bitcoin to not disseminate their stolen private information. The exact vector of the attack is unknown at this time, however the attackers claim to have encrypted and stolen “more than 10TB of private information from EDP group servers” and will make this sensitive information public unless they are paid a sum of 1580 BTC ($10.9M USD). The attackers have proven their claims by posting a screenshot sample proving they are in possession of this information and will distribute it en masse if the ransom is not paid.
Why is this noteworthy?
EDP is one of the largest organizations in the energy sector for Europe and is present across nineteen countries with almost 11 million consumers. The attackers have claimed that clients, partners, and competitors would all be notified of the breach, and their leaked information would be sent to news and media sources as well. While a spokesperson from EDP has stated that the attack has not had an impact on the company’s power supply service and critical infrastructure at this time, depending on the results of this incident there could be an impact related to data loss or corruption. While the attack vector for this particular event is unknown at this time, the Ragnar Locker ransomware has been spotted in the past being used to target software utilized by managed service providers (MSPs) such as ConnectWise to disguise their attacks.
What is the exposure or risk?
The most obvious risk present in this event is the complete dissemination of all of EDPs stolen data. With a supposed 10TB of stolen data this could include a huge amount of confidential information, both related to organizational operations and private customer data. This incident has caused not only is the brand reputation of EDP to be permanently damaged, but the potential theft of customer data could have vast legal repercussions and cause huge financial damage. In the screenshot that was provided as proof of compromise, the attackers have shown a file named “edpradmin2.kdb” which is a KeyPass password manager database, which could lend credibility to the claim of compromise. The attackers also claim that if any attempt is made to decrypt the stolen information outside of the decryption tool provided by the attacker’s risks damaging the information. Even if the ransom is paid there is no guarantee that the information would be kept private or intact, or that there would be no further compromise because of this incident.
What are the recommendations?
While the exact vector of the attack is unknown, there are general recommendations that can harden your environment against similar ransomware attacks:
- Have a strong password policy in place, possibly implementing multi-factor authentication (MFA) if possible.
- Have a data backup and recovery plan in place for any mission-critical information and have the most critical information stored isolated from the network. Regularly test these backups to ensure they function correctly and gauge their performance in the event of a real crisis.
- Ensure your systems are updated with the latest security patches.
- Employ the use of EDR applications, such as Cylance to ensure that any attempts at exploitation are quarantined before any damage can be done.
- Educate employees on the common vectors for phishing, which is the most common source of ransomware.
- Audit user permissions and practice the principal of least privilege, ensuring only necessary access for each user.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.