[BreachExchange] Energy company EDP Renewables confirms April ransomware attack

[Destry Winant]

https://siliconangle.com/2020/07/07/energy-company-edp-renewables-confirms-april-ransomware-attack/

EDP Renewables North America LLC has confirmed that it was targeted in
a ransomware attack, with the company advising that those behind the
attack gained unauthorized access to some information stored on its
information systems.

The attack was first reported in April and is believed to have
involved the use of Ragnar Locker ransomware. Ragnar Locker is a form
of ransomware that attacks Microsoft Windows and usually targets
software used by managed service providers to prevent the attack from
being detected and stopped.

Once successfully deployed on a targeted computer or network, Ragnar
Locker at first performs reconnaissance and pre-deployment tasks,
including stealing a victim’s files before encrypting files and
demanding a ransom.

In this case, it’s believed that those behind the Ragnar Locker attack
demanded a 1580 bitcoin ($14.67 million) ransom with a threat that if
the ransom wasn’t paid, they would publish more than 10 terabytes of
information stolen from EDP’s network. The company refused to pay the
ransom.

In a letter to customers, EDP claimed that it had no evidence that
those behind the ransomware attack had obtained personally
identifiable information. Despite that claim, the company, which has
11 million customers across 19 countries, is offering one year of
identity protection services from Experian IdentityWorks for free “as
a proactive measure.”

“The pattern that jumps out at me is that the critical infrastructure
sectors are a continuing and growing target of attack for this type of
extortive crime despite global law enforcement efforts,” Michael Daly,
chief technology officer at Raytheon Intelligence & Space, a division
of defense and aerospace company Raytheon Technologies Inc., told
SiliconANGLE. “I think it’s extremely important to conduct cyberthreat
hunting after such a breach and it is truly good practice to have a
continuous hunting campaign, as through a managed detection and
response service. In cases like this, the criminals maintain footholds
in order to jump back in, and to jump to other business adjacent
enterprises.”

Torsten George, cybersecurity evangelist at cybersecurity firm
Centrify Corp., noted that “we are seeing an uncommon but increasing
trend of cybercriminals carrying out ransomware attacks by not only
encrypting organizations’ systems but exfiltrating data and
threatening to release it publicly as additional blackmail.”

“Only a small percentage of ransomware attacks take this extra step
today, likely because it increases the risk of detection and
identification of the attacker,” George explained. “The ones that do
take this route, like in the case of the Energias de Portugal [EDP]
incident, are likely motivated by the extra payout they’ll receive if
the company caves.”