Energy company EDP confirms cyberattack, Ragnar Locker ransomware blamed

The energy firm denies the loss of customer data. Attackers claim to have stolen 10TB in business records.
Written by Charlie Osborne, Contributing Writer

EDP Renewables North America (EDPR NA) has disclosed a cyberattack in which ransomware landed on parent company Energias de Portugal (EDP)'s systems, potentially leading to information exposure. 

In a letter sent to customers (.PDF), the energy company apologized for the incident but insisted that there is "no evidence" that consumer information was compromised or stolen.  

The firm delivers energy to over 11 million customers and operates in 19 countries.

EDP experienced a ransomware attack on April 13. EDPR NA learned of the ransomware infection "for the first time" from its parent company on May 8.

"Attackers had gained unauthorized access to at least some information stored on the company's own information systems," the letter reads. "Since then, EDPR NA has worked diligently and on an expedited basis to identify the individuals potentially affected by this incident."

See also: Inside a ransomware attack: From the first breach to the ransom demand

EDPR NA says that customers need to be aware of the incident as the business stores customer names and Social Security numbers, although payment card information was not included in the potential data breach. 

As there is a risk that the theft of customer data could come to light in the future, the company is offering customers a year of Experian identity protection at no cost, a standard offering due to how common data breaches have become. 

As reported by Bleeping Computer, the ransomware in question appears to be Ragnar Locker, of which the operators are known for targeting corporate entities rather than the general public. 

Researchers recently described an interesting technique used by the threat actors to deploy Ragnar Locker, in which virtual machines (VMs) are used to load the malware in order to bypass existing security software. 

CNET: Facebook shared user data with developers after access should have expired

In this case, the ransomware note demanded 1580 Bitcoin (BTC), or roughly $10 million. The cyberattackers warned EDP that over 10TB of information had been taken from impacted systems, and as proof, the group was willing to decrypt some files for free. 

If the company refused to bow to the blackmail demand, the malware's operators threatened to make the data public or sell "sensitive and confidential information about your transactions, billing, contracts, clients, and partners." 

While some companies do bow to ransom demands, it is generally not recommended as there is no guarantee that access to infected systems will be restored, and by paying up, victims would be further encouraging these forms of cyberattack.

TechRepublic: 9 tech products companies can buy for reopening offices during the pandemic

In related news, at the beginning of July, FortiGuard Labs explored EKANS, a form of Windows malware specifically designed for attacks based on industrial control systems (ICS), including those used by crucial utilities and energy companies. The analysis of modern samples revealed that EKANS is used in targeted attacks against specific entities. 

ZDNet has reached out to EDP with additional queries and will update when we hear back. 

The biggest hacks, data breaches of 2020 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards