EDP Renewables North America LLC has confirmed that it was targeted in a ransomware attack, with the company advising that those behind the attack gained unauthorized access to some information stored on its information systems.

The attack was first reported in April and is believed to have involved the use of Ragnar Locker ransomware. Ragnar Locker is a form of ransomware that attacks Microsoft Windows and usually targets software used by managed service providers to prevent the attack from being detected and stopped.

Once successfully deployed on a targeted computer or network, Ragnar Locker at first performs reconnaissance and pre-deployment tasks, including stealing a victim’s files before encrypting files and demanding a ransom.

In this case, it’s believed that those behind the Ragnar Locker attack demanded a 1580 bitcoin ($14.67 million) ransom with a threat that if the ransom wasn’t paid, they would publish more than 10 terabytes of information stolen from EDP’s network. The company refused to pay the ransom.

In a letter to customers, EDP claimed that it had no evidence that those behind the ransomware attack had obtained personally identifiable information. Despite that claim, the company, which has 11 million customers across 19 countries, is offering one year of identity protection services from Experian IdentityWorks for free “as a proactive measure.”

“The pattern that jumps out at me is that the critical infrastructure sectors are a continuing and growing target of attack for this type of extortive crime despite global law enforcement efforts,” Michael Daly, chief technology officer at Raytheon Intelligence & Space, a division of defense and aerospace company Raytheon Technologies Inc., told SiliconANGLE. “I think it’s extremely important to conduct cyberthreat hunting after such a breach and it is truly good practice to have a continuous hunting campaign, as through a managed detection and response service. In cases like this, the criminals maintain footholds in order to jump back in, and to jump to other business adjacent enterprises.”

Torsten George, cybersecurity evangelist at cybersecurity firm Centrify Corp., noted that “we are seeing an uncommon but increasing trend of cybercriminals carrying out ransomware attacks by not only encrypting organizations’ systems but exfiltrating data and threatening to release it publicly as additional blackmail.”

“Only a small percentage of ransomware attacks take this extra step today, likely because it increases the risk of detection and identification of the attacker,” George explained. “The ones that do take this route, like in the case of the Energias de Portugal [EDP] incident, are likely motivated by the extra payout they’ll receive if the company caves.”

Image: EDP Renewables