Portuguese energy giant EDP being held to ransom after malware attack

We can report that this week, Portuguese multinational energy giant Energias de Portugal (EDP) is the latest enterprise to be battling against cyber attackers after suffering a ransomware attack. The group behind this attack used the RagnorLocker malware variant and it has been reported that the hackers are demanding $10.9m as ransom in return for the stolen and locked files. It is believed that there is up to 10TB worth of critical corporate information which the perpetrators are threatening to leak if their ransom demands are not met.

After further examination by the MalwareHunterTeam, they informed us that the screenshots of stolen data already published on the group’s ‘news’ site seems to indicate they may well have access to terabytes of data. The screenshots, that were made public via Twitter, apparently shows checks in the code to prevent execution in countries formerly part of the Soviet Union.

It’s an unfortunate position that EDP finds itself but it’s one that demands the call for organisations to have the appropriate security in place and the need for file backups. Here are some words from cybersecurity professionals on this story:


Martin Jartelius, CSO at Outpost24:

“It is a situation you would wish for no one to be in, and it is yet again a testament for the need for defense-in-depth, and where applicable not using credentials and permissions in such a way that access in the domain reaches so far so fast. If the claim of 10 TB exfiltrated data holds true the exfiltration alone must have been ongoing for a large amount of time.

There are many means by which this could have been detected, responded to and likely also avoided, but there is little value to speculate regarding that, the best others can do is learn from it and take preventive measures.”

Andrea Carcano, founder and CPO, Nozomi Networks

“Threatening to leak data is becoming increasingly popular among ransomware operators as we have witnessed with DoppelPaymer, Sodinokibi, and now, Ragnar Locker.

In the past, victims had their operations disrupted simply by Data Encrypted for Impact. Today many organisations have strategies in place to respond to such attacks, using backups for instance.  For this reason, the most lucrative alternative employed by ransomware operators today is threatening the leak of sensitive data. Criminals are explicitly looking for targets holding sensitive data and the more important the data the more leverage they can exercise on the victims.

The leak of sensitive data can cause a variety of severe consequences for the affected organisation, including loss of intellectual property, which is extremely valuable for those that are R&D-focused, for example. Victim companies also have to deal with the economical and reputational impact of leaks due to data protection regulations, making the attacker’s leverage even stronger.”