Ransomware attackers are demanding €10 million ($11m) from a European energy giant or else they will release stolen corporate documents, researchers have claimed.
A group using the RagnarLocker variant appears to have targeted the Lisbon-headquartered Energias de Portugal (EDP) group, which employs over 11,000 staff globally and made over €3.3 billion in gross operating income in 2018.
Ethical hacker Vitali Kremez posted screenshots of the ransom note dated Tuesday to Twitter. In it, the attackers threaten to publish 10TB of data from the company’s file servers “or sell it to interested parties” if EDP doesn’t pay up.
Another screenshot apparently shows checks in the code to prevent execution in countries formerly part of the Soviet Union.
MalwareHunterTeam said that the screenshots of stolen data already published on the group’s ‘news’ site seems to indicate they may well have access to terabytes of data.
“As frequently, in this case too the actors were in the victim's network for some time before running the RW,” they added, on Twitter. “Obviously we can't tell from when they were in EDP's network, but it looks they already had some amount of files stolen on the 6th this month.”
Not to be confused with the similar-sounding Ragnarok ransomware, RagnarLocker was first discovered at the end of last year, targeting Windows-based systems. It’s said to target software used by managed service providers (MSPs) to stay hidden.
The EDP site itself appeared to be functioning relatively normally at the time of writing, although a pop-up window noted: “due to constraints in the information systems, your EDP Online customer area and the 808 53 53 53 service line have temporarily limited access.”
Given their role as critical infrastructure providers, utilities firms are a natural target for ransomware attackers.