In a letter to its customers, energy company EDP North America has confirmed it was hit by a ransomware cyber attack. According to a draft of the letter, dated June 30, the company’s information systems were infected with the ransomware on April 13 of this year.
“EDP Renewables North America LLC (“EDPR NA”) values its landowners and is committed to protecting your personal information,” the letter says. “Unfortunately, we recently learned that we were the victim of a cyber-attack. We are writing to inform you about this information security incident and to share with you the steps EDPR NA is taking to address it.”
According to a report by BleepingComputer earlier this year, the attackers used Ragnar Locker ransomware. As part of the ransomware cyber attack, EDP was asked to pay a ransom of 1580 bitcoins, which is estimated to equal more than $10 million.
In the ransom note, the attackers claim they were able to steal confidential information on billing, contracts, transactions, clients, and partners. Attackers threatened to publicly release the data they stole.
“The parent corporation immediately began investigating with the assistance of leading computer forensic experts,” the letter says. “The parent corporation also promptly involved relevant law enforcement authorities. On May 8, 2020, EDPR NA learned, for the first time, that the attackers had gained unauthorized access to at least some information stored on the Company’s own information systems. Since then, EDPR NA has worked diligently and on an expedited basis to identify the individuals potentially affected by this incident.”
EDP delivers energy to more than 11 million customers. It is the fourth largest producer of wind energy in the world and one of the largest energy sector operators in Europe.
EDP’s information systems include personal customer information such as names and social security numbers. However, the company says there is no evidence to suggest the ransomware cyber attack allowed attackers to access personal customer information.
In order to ensure customers are protected EDP is offering customers one year of free identity protection services through the Experian credit bureau. This includes identity restoration services, fraud detection tools, and credit monitoring.
“EDPR NA takes seriously both the security of your personal information and this incident,” the letter says. “In response to this incident, we have taken steps to enhance the security for your personal information, such as implementing new IT processes and login requirements, including multifactor verification, to limit the likelihood of a recurrence. EDPR NA sincerely apologizes for this incident and regrets any inconvenience it may cause you.”
According to a May report by cybersecurity company Sophos, Ragnar Locker ransomware is deployed as a full virtual machine on each targeted device to hide the ransomware from view. This allows it to run unhindered, because it is out of reach for security software on physical host machines.
“In past attacks, the Ragnar Locker group has used exploits of managed service providers or attacks on Windows Remote Desktop Protocol (RDP) connections to gain a foothold on targeted networks,” the report says. “After gaining administrator-level access to the domain of a target and exfiltration of data, they have used native Windows administrative tools such as Powershell and Windows Group Policy Objects (GPOs) to move laterally across the network to Windows clients and servers.”