RagnarLocker ransomware strikes EDP Group: $10M for 10TB demanded

Energies de Portugal attacked by RagnarLocker ransomware: 10 TB information from servers leaked

RagnarLocker attack over EDP energy giant

RagnarLocker attack over EDP energy giant

The energy giant Energies de Portugal (EDP Group)[1] company has been hit hard by the infamous RagnarLocker ransomware. The company having 40 years of history and departments in 19 countries in Europe beyond and standing 4th in the line of major gas, electricity, and wind energy producers are charged nearly $10M (1580 Bitcoin[2]) ransom. Actors behind RagnarLocker managed to steal 10 TB of private information from EDP servers worldwide.

Attackers targeted the software used by service providers to compromise the network in a way the attack remained unnoticed. Before encryption, the ransomware initiated deep surveillance and initiated multiple pre-deployment tasks. In this phase, RagnarLocker leaked 10 TB of EDP’s files to the remote server. The final step in the attack is a full ransomware execution, which unraveled RSA-2048 cipher[3], which encrypted files with .ragnar file extension.

The company remains silent about the situation, though criminals keep publishing posts on Ragnarok’s leak site. Criminals have provided a proof of attack – a screenshot from the network and a file edpradmin2.kdb, which redirects to a database where all login credentials, accounts, and other sensitive information of EDP’s employees is kept.

RagnarLocker operators claim to have stolen confidential information related to EPD’s clients and partners

The size of the ransom, which is more than $10M in Bitcoin cryptocurrency does not surprise knowing the fact that criminals now possess the most confidential company’s information. The ransom note RGNR_44027CDE.txt declares the fact that the attackers gathered transactions, billing, contracts, clients, and partners.

Since the company delivers energy to more than 11 million customers, more than 11 thousand employees and difficult to count the number of contracts, a massive EDP data leakage would cause the company serious problems and legal issues due to poor data protection[4].

The attack against EDP servers has been initiated in the middle of April 2020. Since then, RagnarLocker is actively pushing the company to take retaliatory actions –  to respond and pay the ransom within 48 hours. 2 days is offered as a period when a special price is applied for decryption and assurance that the stolen data won’t be leaked publicly.

RagnarLocker ransomware targets big fish

Disclosed at the beginning of 2020, RagnarLocker ransomware developers don’t seem to be interested in individuals, but rather targets large enterprises, large business, and giant software companies. VGCARGO was one of the first Ragnar Locker ransomware victims, which got demanded to pay 25 Bitcoins in exchange for decryption software.

The ransomware is known for appending .ragnar_*** or .ragnar_<ID*** file extension to encrypted documents and other files. The victim is also presented with RGNR_***.txt or RGNR_ .txt ransom note, which outlines the scale of the attack and requirements. Initially, criminals demanded companies for a ransom that varies from 20 to 60 Bitcoins, but the current attack on EDP proves that criminals have no limits.

RagnarLocker stands out from the crowd due to its misleading technique to steal data and encrypt data. The virus is a serious danger to companies since it’s engine works in two phases, i.e. pre-deployment[5] and payload execution. The attacker infects the machine via compromised network servers, disable Windows service processes, establishes a connection with remote servers and transmits as much confidential information as possible. During the second phase, the attacker gives a command to launch ransomware payload and release encryption mechanisms.

Such an operating scheme leaves no escape for the victims since they will either have to pay the ransom or reconcile with the disclosure of information at breaking news, cybersecurity blogs, and other media.