The traditional ransomware attack is pretty straightforward; the attacker locks up your files with encryption that is practically unbreakable, and you pay up to get the password to restore access. While that method is still common and lucrative for cyber criminals, a new twist is emerging that seems to be emboldening them to demand even larger amounts of money. Portuguese energy giant Energias de Portugal (EDP) is the latest company to be threatened with public disclosure of their sensitive data if they fail to pay the ransom.
Energy company threatened with public release of private client and financial information
EDP is the biggest energy company in Portugal and one of the largest wind power operators in the world. The company was breached by a hacking group called Ragnarok, known for using the custom Ragnar Locker ransomware that has been hitting managed service providers since late 2019.
Taking a cue from other ransomware attacks in roughly the past six months, such as the ones perpetrated by the Maze group, Ragnarok has publicly threatened to dump sensitive information from the 10TB of data they stole if the energy company does not opt to pay their ransom demand of $10.9 million.
This is the largest demand to be associated with Ragnar Locker; previous ransomware attacks have tended to ask for about a third to one-half of this amount. The energy company is also the largest individual target that has been hit by this particular type of ransomware, and the first for which there was an added threat of public document dumping.
The hacking group posted several files and screenshots to validate their claims. The group appears to have stolen billing information, copies of contracts, transaction documents and private communications with partners and clients among other sensitive items in the 10TB of private information taken from the energy company. The group also indicated that they had a .kpb file, which is used by the KeePass password manager database to store login information. It is thus possible that the usernames and passwords of all of the energy company’s employees have been compromised.
EDP issued a press release indicating that they are “assessing the situation” but currently have no knowledge of the exfiltrated data other than what has been reported in the media. The energy company confirmed that the attack took place on April 13 but stated that it did not impact normal power delivery operations in any way. MalwareHunterTeam is investigating the ransomware attack and believes that the hackers had prior access to the energy company and began exfiltrating files from EDP on April 6.
An interesting discovery by Vitali Kremenz of SC Media sheds some light on the general location of the hackers. A piece of the code seems to prevent the execution of the Ragnar Locker ransomware in the former Soviet republics, something reinforced by the broken English used in some of the Ragnarok group’s communications.
The new and more business-savvy ransomware attacks
The relatively simple ransomware attacks of the past relied on catching businesses unprepared. If an organization was able to restore from backups with little downtime, there was no need to even think about paying ransomware demands.
The wave of ransomware attacks on unprepared schools, local government agencies, and hospitals in 2019 shows that there is still a substantial market out there for these traditional attacks, at least for those without any scruples. They will always be an appealing option to some so long as all that is required is an email address, a bitcoin payment wallet and relatively little technical knowledge.
The more sophisticated attackers are realizing that an added layer of threat translates into bigger profits. If one can get a target to click on a ransomware link, one can get the same target to click on a malware link that creates a foothold in the corporate network. With a little bit more hacking acumen, that access can be parlayed into exfiltration of valuable data before it is encrypted. The attackers now have both more leverage for their ransom demands and valuable stolen data in hand.
The victim is left with a much bigger headache to deal with. Their breach response plan has to expand to assume that confidential business information and the personal data of employees and customers is now out in the world beyond their control. That means not only increased liability, but increased potential for fines.
This new crop of ransomware operators is showing some business savvy beyond merely adding a layer of threat, however. They are making the process seem more like a legitimate retail transaction with things like discounts for early payment (Ragnarok offered EDP a discount for payment within two days of the initial ransom note) and even “customer service” via a live chat system.
However, everything comes back to the central focus of breach prevention — keeping employees from biting on phishing emails and clicking on malware links. James McQuiggan, security awareness advocate at KnowBe4, notes that the cost of ongoing employee training to improve awareness is likely to be no more than the cost of recovering from a breach of sensitive company files (or even substantially less): “This type of attack is prosperous for criminals since the organizations are paying to get their data back for amounts similar to what it costs to train employees. Organizations want to engage their employees with a robust security awareness training program. The program will allow the employees to make confident security decisions when it comes to spotting social engineering attacks and preventing ransomware attacks.”