Earlier this week, Energias de Portugal (EDP) was attacked by cybercriminals using the recently unveiled ransomware strain Ragnar Locker. EDP is a multinational organization in the energy sector with a presence in 19 countries, a workforce of 11,500, and a customer base of more than 11 million depending on their energy production. A leader in the field, EDP is counted as one of the largest European gas and electric energy operators and the world’s fourth-largest producer of wind power.

At the time of this writing, however, all of those operations have ceased.

A change in strategy from Ragnar Locker

Ragnar Locker is a virulent new strain of ransomware that was first identified in December 2019. To evade detection, the malware specifically targeted software used by managed service providers (MSPs) including ConnectWise and Kaseya. If not detected, this would open a number of doors for cybercriminals as MSPs unwittingly distributed the strain, themselves.

In this latest attack, the cybercriminals deploying Ragnar Locker have changed strategies and directly infiltrated the EDP network – a major target, given its global footprint and the pressure the company would receive to quickly and quietly pay the ransom to get operations up and running again. Whether EDP caves to that pressure and pays to have their systems decrypted – an option cybersecurity experts don’t recommend – remains to be seen.

The EDP ransomware attack

As part of this week’s attack, cybercriminals claim to have accessed EDP group servers and downloaded more than 10 TB of sensitive company files including employee login names, accounts, URLs, notes, and a KeePass password manager database. As proof, the attackers included a link in their ransom note that shows a sample of stolen files and screenshots of more all of which, they threaten, will be published and distributed to EDP’s clients, partners, and competitors if their ransom isn’t paid.

Based on the screenshots, these cybercriminals stole confidential information related to billing, contracts, transactions, clients, and partners. They’re demanding 1,580 bitcoins, about $11 million, to unlock this data. That’s more than 18 times the highest Ragnar Locker ransom news breaker Bleeping Computer has seen before, suggesting a level of confidence from the cybercriminals that they can expect a payday.

How Acronis could have helped

Acronis Cyber Protection solutions combine industry-leading data protection services with innovative AI-based cybersecurity technology to ensure that cyberthreats, including emerging strains like Ragnar Locker, are detected and stopped before they can do damage.

As Topher Tebow, a cybersecurity analyst at Acronis’ Arizona Cyber Protection Operations Center shared in the video above, “this is a huge company and huge damage that could have been easily stopped by Acronis Active Protection,” the AI- and ML-based anti-malware feature found in many of Acronis Cyber Protection solutions.

By constantly analyzing program behavior for unexpected or unusual actions, scanning existing backup files, and allowing users to establish custom program whitelists and blacklists, Acronis Active Protection has stopped more than 487,000 cyberthreats and today provides protection and peace of mind to more than 373,000 individual users, professional users, service providers, and more.

Final Thoughts

With the ongoing, unprecedented COVID-19 pandemic, users are spending more time on digital devices and businesses are forced to spread their network farther and into less secured environments. Cybercriminals like those who attacked EDP are well aware of these changes and are well prepared to exploit them. Make sure your data, applications, and systems are protected in these uncertain times with a new, modern approach to malware detection and elimination.

Defend your systems at home and at work with Acronis Active Protection found in solutions and services for all use cases: