EDP Ransomware Attack Points at Growing Trend of Public Leaks by Threat Actors
In most cases, ransomware attacks follow a relatively simple pattern. The attackers lock up user files with secure encryption, then they drop a ransom note with contact information and a wallet, promising to restore access once a payment goes through. Although this is a popular and lucrative way of doing crime, the situation is escalating, as is the case with such threats. Large companies and corporations are becoming the target of threat actors, and with that, they are finding inventive ways to push their victims toward paying ransom demands. Energias de Portugal (EDP) found that the hard way, as they were threatened with the public disclosure of their stolen sensitive data if they decide to skip paying the ransom.
EDP is the largest energy company in Portugal, also one of the largest wind power providers globally. The company was attacked by the hacking group Ragnarok, known for their use of the Ragnar Locker ransomware. They've been attacking service providers since the late days of 2019.
Table of Contents
Ragnarok Takes Note of Maze Operations and Follows Suit
Learning from the ransomware attacks of the previous half a year, such as the ones done by the Maze group, Ragnarok followed their example. They publicly threatened to dump sensitive information taken from the 10TB of data they whisked away from EDP if the company doesn't pay up the $10.9 million ransom demand.
That is the latest example of attacks connected to the Ragnar Locker, with previous attacks asking for about a third to a half of the amount listed above. The energy company is also the most significant target hit by this ransomware threat so far.
The hackers posted several files and screenshots that validated their threats. Ragnarok claims to have stolen copies of contracts, billing information, private communications with clients and partners, transaction documents, and more. The group also mentioned they had a .kpb file used by the KeePass password manager database used to store login info. That may mean the usernames and passwords of EDP employees may have been compromised.
EDP issued a press release, mentioning they are assessing the situation with no knowledge of the stolen data other than what the media reported. The company shared the attack happened on April 13, but it didn't impact their operations in any way. MalwareHunterTeam took up the investigation of the ransomware attack, sharing that the attackers may have had access to the company before April 6. The investigation led a guess about the general location of the Ragnarok threat - a piece of the code prevented the execution of the ransomware in the ex-Soviet republics.
The New Ransomware Attacks Aiming at More Profits
The attacks of the past were aiming at catching businesses by surprise, with organizations restoring from backups with minimal downtime, so there was no need to pay up the ransom. Ransomware attacks expanded by attacking schools, government agencies, and even hospitals in 2019, showing that the market for these attacks is growing with no morals attached.
The attackers who go the extra mile are making sure there is the implication of threat that leads to bigger and bigger profits. If someone clicks on the ransomware link, they have their foot in the door in a vulnerable corporate network and related databases. The more sophisticated the attacks, the more the access can be used to exfiltrate essential data before it was encrypted. The attackers are using this leverage over their victims to dangle the threat of information leaks, holding the data hostage in more ways than one.
The Victims Are Facing More Significant Problems
The response of security breaches has to keep up with the threats, since confidential business information and personal data of customers and employees leaking may put many people at risk of identity theft and worse.
The new methods used by ransomware operators are showing an increase in business acumen, one that goes beyond the simple threat. They are making the process look almost legitimately retail-like, with offering discounts for early payments, as was the case with Ragnarok offering EDP one if the ransom was paid in two days. They even offer 'customer service' with a live chat system.
Developments like those show that companies and individuals need to put a lot more emphasis on breach prevention in their daily operations. Users need to be aware of the dangers of phishing emails, clicking on malware-laced links, and more. Employee training has to be a priority to improve awareness and costs of recovering from breaches and leaks of sensitive company files.