— EN version of: https://seguranca-informatica.pt/criminosos-exigem-10-milhoes-de-euros-depois-de-ataque-ransomware-a-edp
On April 13th, 2020, some media channels from Portugal mentioned that the giant Portuguese electricity Energias de Portugal (EDP) was hit with a computer attack and the criminals are now asking for a ransom of 10 million euros.
EDP suffered a computer attack on the April 13th morning, and this is affecting customer service systems.
EDP’s information systems have been partially blocked, but customer data will not have been breached, nor will the power grid supply systems be at risk.
According to JN, “hackers access an EDP server and extract a lot of information that has not yet been quantified, which can be sensitive.”
In a dark web forum, a publication was made during the day where 1580 bitcoins are claimed by criminals – the equivalent of 9.8 million euros.
Criminals also said in the publication that they will wait 3 days for the ransom payment until the details are made public.
In the same publication; apparently intended to demonstrate that they are effectively in possession of sensitive information; hackers disclose the name of computer folders downloaded from the EDP’s server.
According to MalwareHunterTeam, images of a ransomware request by the entity that carried out the attacks against EDP’s systems were released. In the ransom request, the criminals say that they managed to infiltrate the company’s internal network, encrypting the files using the “RagnarLocker” ransomware.
This ransomware is well known for being targeted at the company and important public sector entities, and may have entered the company’s internal network through the support tools that were being attacked initially – and from which EDP confirmed that the attack was being carried out the same.
Hearing news that Ragnar Locker ransomware actors pwned the network of Energias de Portugal / EDP Group & asking for ~10 million EUR.
Looking at the screenshots they published on their “news” site, it’s possible they really had access to TBs of data…@demonslay335
cc @VK_Intel pic.twitter.com/YHnmE0lREV— MalwareHunterTeam (@malwrhunterteam) April 14, 2020
In order to prove how this is a critical incident; and also as a way to prove the data exfiltration, criminals showed some images of sensitive EDP files. Although not all files are visible, it is possible to observe that there is potentially accessed information, including data from customers and partners.
According to SI-LAB, the computer attack occurred weeks before April 13th. The proof of this is the upload date of the first samples left by the criminals on the remove server: April 6th, 2020.
The ransom page that will have been sent to EDP confirms that 1580 bitcoins are being requested so that the information is not shared within the next few days. Taking into account the current price of bitcoins, this corresponds to approximately 10 million euros so that the information is not publicly disclosed.
As observed, the associated bitcoin wallet does not yet have any payments made. On the ransomware page, where a chat system is located for direct conversation with attackers, there is also no response from EDP to the attack.
In Portugal, several attacks of this type have been noticed since the last year. One of the cocktails used by criminals to break into organizations and breach their data has been the triple chain: EMOTET + Trickbot + Ryuk.
Generally, criminals infect one or more unprivileged computers in the Active Directory (AD) forest through phishing, where they later deploy a backdor via another stage (e.g., trickbot).
From here, it is then possible to enumerate an organization’s AD forest and obtain the shortest path to a specific target (a target computer or the domain control itself). Here, criminals, once they have access to the network via an unprivileged domain account, take advantage of infrastructure configuration vulnerabilities to reach their goal.
To end the attack, criminals launch the ransomware attack to close the chain requesting a rescue from the organization based on its size and also on the type of data infiltrated.
So far, there are still no technical details about the attack by EDP. It is known that the ransomware used was RagnarLocker and that there are about 10TB of data held by criminals.
The name associated with the group of criminals is also not known, but it is known that the group exfiltrated details from other organizations such as:
Leaks from company EDP Group
Leaks Company Birch Communications inc.
Technical details about ransomware – RagnarLocker
Vitali Kremez, in a post on Twitter, also mentions that this malware has some prevention mechanisms: Remote Service Killer (Prevent Easy Recovery) + Backup & Database: LogMein | ConnectWise | Splashtop| Pulseway.
2020-04-14:🆕🔥#RagnarLocker (!Ragnarok) #Ransomware🔒
🇵🇹Extorting Energias de Portugal Group for 10 Mil Euro🔦Remote Service Killer (Prevent Easy Recovery) + Backup & Database:
LogMein | ConnectWise | Splashtop| PulsewayPrev↘️https://t.co/AvlDfLkx3a
h/t @malwrhunterteam pic.twitter.com/1TzagS8pUZ— Vitali Kremez (@VK_Intel) April 14, 2020
Insight: The #ransomware leverages “.keys” PE section to store config details.
Sample EDP: www.virustotal.com/
At this time, the EDP group has made an effort to identify IOCs about the attack and has given priority to the recovery of critical services in its infrastructure, giving full priority to authentication services.
Yara Rule
//////////////////////////////////////////////////////// ///////////////////// RAGNALOCKER ////////////////////// //////////////////////////////////////////////////////// import "pe" rule crime_win32_ransom_ragnarlocker_1 { meta: description = "Detects RagnarLocker" author = "@VK_Intel" tlp = "white" date = "2020-04-15" strings: $str1 = ".ragnar_" wide $str2 = "RGNR_" wide $str3 = "---RAGNAR SECRET---" $section = ".keys" $start_code = { 53 8b dc 83 ec 08 83 e4 f0 83 c4 04 55 8b ?? ?? 89 ?? ?? ?? 8b ec b8 08 24 00 00 e8 ?? ?? ?? ?? 56 57 e8 ?? ?? ?? ?? 8d ?? ?? c7 ?? ?? ?? ?? ?? ?? 50 8d ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8d ?? ?? 50 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 68 c0 81 40 00 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 68 00 82 40 00 68 c0 81 40 00 e8 ?? ?? ?? ?? 68 18 82 40 00 68 30 82 40 00 8b f8 e8 ?? ?? ?? ?? 83 c4 10 8b f0 8d ?? ?? ?? ?? ?? 57 50 a1 ?? ?? ?? ?? ff d0 56 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 89 ?? ??} condition: ( uint16(0) == 0x5a4d and ( 4 of them ) ) or ( all of them ) }
Ransom note
***************************************************************************************************************** HELLO EDP.com ! If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED by RAGNAR_LOCKER ! ***************************************************************************************************************** !!!!! WARNING !!!!! DO NOT Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible. DO NOT use any third party or public decryption software, it also may damage files. DO NOT Shutdown or reset your system ------------------------------------- There is ONLY ONE possible way to get back your files - contact us and pay for our special decryption key ! For your GUARANTEE we will decrypt 2 of your files FOR FREE, as a proof of our capabilities Don't waste your TIME, the link for contacting us will be deleted if there is no contact made in closest future and you will never restore your DATA. HOWEVER if you will contact us within 2 day since get penetrated - you can get a very SPECIAL PRICE. ATTENTION ! We had downloaded more than 10TB of data from your fileservers and if you don't contact us for payment, we will publish it or sell to interested parties. Here is just a small part of your files that we have, for a proof (use Tor Browser for open the link) : http://xxxxxxxxxxxxxxxxx We gathered the most sensitive and confidential information about your transactions, billing, contracts, clients and partners. And be assure that if you wouldn't pay, all files and documents would be publicated for everyones view and also we would notify all your clients and partners about this leakage with direct links. So if you want to avoid such a harm for your reputation, better pay the amount that we asking for. ============================================================================================================== ! HERE IS THE SIMPLE MANUAL HOW TO GET CONTACT WITH US VIA LIVE CHAT ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! a) Download and install TOR browser from this site : https://xxxxxxxxxxxx b) For contact us via LIVE CHAT open our website : http:/xxxxxxxxxxxxxxxxxxxxxxxxx c) For visit our NEWS PORTAL with your data, open this website : http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx d) If Tor is restricted in your area, use VPN When you open LIVE CHAT website follow rules : Follow the instructions on the website. At the top you will find CHAT tab. Send your message there and wait for response (we are not online 24/7, So you have to wait for your turn). *********************************************************************************** ---RAGNAR SECRET--- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ---RAGNAR SECRET--- ***********************************************************************************
8 Replies to “Group EDP ransomware attack from scratch”