Criminals demand 10 million euros after a ransomware attack on the EDP group.

— EN version of: https://seguranca-informatica.pt/criminosos-exigem-10-milhoes-de-euros-depois-de-ataque-ransomware-a-edp


 

On April 13th, 2020, some media channels from Portugal mentioned that the giant Portuguese electricity Energias de Portugal (EDP) was hit with a computer attack and the criminals are now asking for a ransom of 10 million euros.

EDP suffered a computer attack on the April 13th morning, and this is affecting customer service systems.

EDP’s information systems have been partially blocked, but customer data will not have been breached, nor will the power grid supply systems be at risk.

According to JN, “hackers access an EDP server and extract a lot of information that has not yet been quantified, which can be sensitive.”

 

In a dark web forum, a publication was made during the day where 1580 bitcoins are claimed by criminals – the equivalent of 9.8 million euros.

 

Criminals also said in the publication that they will wait 3 days for the ransom payment until the details are made public.

In the same publication; apparently intended to demonstrate that they are effectively in possession of sensitive information; hackers disclose the name of computer folders downloaded from the EDP’s server.

According to MalwareHunterTeam, images of a ransomware request by the entity that carried out the attacks against EDP’s systems were released. In the ransom request, the criminals say that they managed to infiltrate the company’s internal network, encrypting the files using the “RagnarLocker” ransomware.

This ransomware is well known for being targeted at the company and important public sector entities, and may have entered the company’s internal network through the support tools that were being attacked initially – and from which EDP confirmed that the attack was being carried out the same.

 

 

In order to prove how this is a critical incident; and also as a way to prove the data exfiltration, criminals showed some images of sensitive EDP files. Although not all files are visible, it is possible to observe that there is potentially accessed information, including data from customers and partners.

 

According to SI-LAB, the computer attack occurred weeks before April 13th. The proof of this is the upload date of the first samples left by the criminals on the remove server: April 6th, 2020.

 

The ransom page that will have been sent to EDP confirms that 1580 bitcoins are being requested so that the information is not shared within the next few days. Taking into account the current price of bitcoins, this corresponds to approximately 10 million euros so that the information is not publicly disclosed.

 

As observed, the associated bitcoin wallet does not yet have any payments made. On the ransomware page, where a chat system is located for direct conversation with attackers, there is also no response from EDP to the attack.

Even without great details revealed by EDP, it is known that this was an attack via ransomware (Ransom: Win32 / RagnarLocker! MSR) and that criminals have now the private data.
Despite the difficulty in detecting entry points/vulnerabilities, CNPD (Portuguese GDPR regulator) has already been notified of the incident, although it is not known what information and what type was affected.

 

In Portugal, several attacks of this type have been noticed since the last year. One of the cocktails used by criminals to break into organizations and breach their data has been the triple chain: EMOTET + Trickbot + Ryuk.

Generally, criminals infect one or more unprivileged computers in the Active Directory (AD) forest through phishing, where they later deploy a backdor via another stage (e.g., trickbot).

From here, it is then possible to enumerate an organization’s AD forest and obtain the shortest path to a specific target (a target computer or the domain control itself). Here, criminals, once they have access to the network via an unprivileged domain account, take advantage of infrastructure configuration vulnerabilities to reach their goal.

To end the attack, criminals launch the ransomware attack to close the chain requesting a rescue from the organization based on its size and also on the type of data infiltrated.

So far, there are still no technical details about the attack by EDP. It is known that the ransomware used was RagnarLocker and that there are about 10TB of data held by criminals.

The name associated with the group of criminals is also not known, but it is known that the group exfiltrated details from other organizations such as:

Leakage from company Catania, Mahon & Rider, PLLC
Leaks from company EDP Group
Leaks Company Birch Communications inc.

Technical details about ransomware – RagnarLocker

Vitali Kremez, in a post on Twitter, also mentions that this malware has some prevention mechanisms: Remote Service Killer (Prevent Easy Recovery) + Backup & Database: LogMein | ConnectWise | Splashtop| Pulseway.

 

Image

Insight: The #ransomware leverages “.keys” PE section to store config details.

Sample EDPwww.virustotal.com/gui/file/68eb2d2d7866775d6bf106a914281491d23769a9eda88fc078328150b8432bb3/detection

At this time, the EDP group has made an effort to identify IOCs about the attack and has given priority to the recovery of critical services in its infrastructure, giving full priority to authentication services.

The company has already reported the attack on authorities and hackers will be demanding a ransom to release the encrypted information of ten million euros.

Yara Rule

////////////////////////////////////////////////////////
///////////////////// RAGNALOCKER //////////////////////
////////////////////////////////////////////////////////

import "pe"

rule crime_win32_ransom_ragnarlocker_1 {
meta:
  description = "Detects RagnarLocker"
  author = "@VK_Intel"
  tlp = "white"
  date = "2020-04-15"

strings:
    $str1 = ".ragnar_" wide
    $str2 = "RGNR_" wide
    $str3 = "---RAGNAR SECRET---"

    $section = ".keys"

    $start_code = { 53 8b dc 83 ec 08 83 e4 f0 83 c4 04 55 8b ?? ?? 89 ?? ?? ?? 8b ec b8 08 24 00 00 e8 ?? ?? ?? ?? 56 57 e8 ?? ?? ?? ?? 8d ?? ?? c7 ?? ?? ?? ?? ?? ?? 50 8d ?? ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8d ?? ?? 50 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 68 c0 81 40 00 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 68 00 82 40 00 68 c0 81 40 00 e8 ?? ?? ?? ?? 68 18 82 40 00 68 30 82 40 00 8b f8 e8 ?? ?? ?? ?? 83 c4 10 8b f0 8d ?? ?? ?? ?? ?? 57 50 a1 ?? ?? ?? ?? ff d0 56 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 8d ?? ?? ?? ?? ?? 50 ff ?? ?? ?? ?? ?? 8d ?? ?? ?? ?? ?? 50 e8 ?? ?? ?? ?? 89 ?? ??}


condition:
  ( uint16(0) == 0x5a4d and
  ( 4 of them )
  ) or ( all of them )
  }

 

Ransom note

*****************************************************************************************************************
                                              HELLO EDP.com !
 If you reading this message, then your network was PENETRATED and all of your files and data has been ENCRYPTED
                             
                                              by RAGNAR_LOCKER !

*****************************************************************************************************************

                                              !!!!! WARNING !!!!!

DO NOT Modify, rename, copy or move any files or you can DAMAGE them and decryption will be impossible.
DO NOT use any third party or public decryption software, it also may damage files.
DO NOT Shutdown or reset your system
-------------------------------------

There is ONLY ONE possible way to get back your files - contact us and pay for our special decryption key !
For your GUARANTEE we will decrypt 2 of your files FOR FREE, as a proof of our capabilities

Don't waste your TIME, the link for contacting us will be deleted if there is no contact made in closest future and you will never restore your DATA.
HOWEVER if you will contact us within 2 day since get penetrated - you can get a very SPECIAL PRICE.

ATTENTION !
We had downloaded more than 10TB of data from your fileservers and if you don't contact us for payment, we will publish it or sell to interested parties.
Here is just a small part of your files that we have, for a proof (use Tor Browser for open the link) : http://xxxxxxxxxxxxxxxxx

We gathered the most sensitive and confidential information about your transactions, billing, contracts, clients and partners. And be assure that if you wouldn't pay,
all files and documents would be publicated for everyones view and also we would notify all your clients and partners about this leakage with direct links.
So if you want to avoid such a harm for your reputation, better pay the amount that we asking for.

==============================================================================================================
! HERE IS THE SIMPLE MANUAL HOW TO GET CONTACT WITH US VIA LIVE CHAT !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

a) Download and install TOR browser from this site : https://xxxxxxxxxxxx
b) For contact us via LIVE CHAT open our website : http:/xxxxxxxxxxxxxxxxxxxxxxxxx
c) For visit our NEWS PORTAL with your data, open this website : http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
d) If Tor is restricted in your area, use VPN

When you open LIVE CHAT website follow rules :

Follow the instructions on the website.
At the top you will find CHAT tab. 
Send your message there and wait for response (we are not online 24/7, So you have to wait for your turn).



***********************************************************************************

---RAGNAR SECRET---
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
---RAGNAR SECRET---

***********************************************************************************