An apparent Ragnar Locker ransomware attack on the parent company of EDP Renewables put information of some of its customers at risk although the firm said it has no evidence PII was accessed.
The attack could have exposed names and Social Security numbers stored in the company’s systems, though in a letter to customers, EDPR NA said it does not maintain other personal information like payment card data or driver’s license numbers.
Energias de Portugal experienced the attack on April 13 but EDPR NA didn’t learn until May 8 “that the attackers had gained unauthorized access to at least some information stored on [its] own information systems.”
“In the case of EDP Renewables, it appears the attack was contained to their enterprise systems and mainly confidential information regarding things like billing and contracts were targeted,” said Tripwire Vice President and General Manager of Industrial Cybersecurity Kristen Poulos, who noted that ransomware attacks are of concern to companies with both heavy IT and OT footprints. “Though that’s a significant challenge in and of itself, if such attacks were to permeate into the OT space (due to improper segmentation between IT and OT), they could infect systems critical to energy output, like HMIs and engineering workstations. Luckily, this did not appear to be the case this time.”
EDPR NA has taken measures to boost security, “implementing new IT processes and login requirements, including multifactor verification, to limit the likelihood of a recurrence,” the notification letter said.
“More advanced ransomware types, like Ragnar Locker, even threaten to leak data,” said Richard Cassidy, senior director of security strategy at Exabeam.
“We are seeing an uncommon but increasing trend of cybercriminals carrying out ransomware attacks by not only encrypting organizations’ systems but exfiltrating data and threatening to release it publicly as additional blackmail,” agreed Torsten George, cybersecurity evangelist at Centrify. “Only a small percentage of ransomware attacks take this extra step today, likely because it increases the risk of detection and identification of the attacker. The ones that do take this route, like in the case of the Energias de Portugal incident, are likely motivated by the extra payout they’ll receive if the company caves.”