Ragnar Locker’s ransomware attack on Energias de Portugal (EDP) and its subsequent 1,580 bitcoin, or $11 million, ransom demand indicates the attack was well thought out with the attacker fully understanding it’s victim’s financial capabilities.

James McQuiggan, security awareness advocate at KnowBe4, told SC Media that Ragnar Locker’s general modus operandi is to charge a ransom of 25 bitcoin per system encrypted so by doing the math about 60 systems are involved in this attack. Even though this is a very high demand, it is believed Ragnar Locker knew it landed a big fish.

“With the current rate of one Bitcoin for about $7,000, it would seem like a very high amount for a consumer or small business trying to pay approximately $175,000 for one system. However, this group knew they got into a large enterprise organization, and whether it could pay or not, a negotiation of one BTC for each system, could still net them about $420,000,” McQuiggan said.

In addition to encrypting the systems, Ragnar Locker has also threatened to release the data publicly if the ransom is not paid.

Headquartered in Lisbon, EDP had generated about $14.5 billion in revenue in 2019, a number the attackers certainly considered.

“Knowing that the target organization is a global billion-euro profitable company, they realize they can get a substantial amount in ransom if EDP decides to pay,” McQuiggan said.

The Maze and Doppelpaymer ransomware gangs are also known to take a look at a potential target’s financial reports using them as a basis for their demands.

And while the size of the EDP ransom is among the largest known so far the energy concern is not alone in having to make a tough choice. Travelex reportedly, but refuses to confirm, paid $2.3 million after being hit with Nemty software, Riviera Beach, Fla. paid $600,000, Jackson County, Ga. shelled out $400,000 joining dozens of other business and government leaders who did the calculus and decided paying was the best option.

Irfahn Khimji, country manager, Canada at Tripwire, said EDP’s leaders are find themselves in the same choice on their hands.

“At a request for 1580 bitcoin (approximately $11M), the executives in this situation would need to weigh that cost against the cost of recovering their data and operations themselves.  Furthermore, even if they choose to pay that amount, they will still need to better their defenses in case of future attacks,” Khimji said.

Making matters more difficult for EDP is that Ragnar Locker has already posted samples of the data it has encrypted and stolen. Bleeping Computer reported the data included a KeyPass password manager database, employee logins and accounts also appeared in the stolen information.