In the past few months, we have seen a major increase in ransomware operations targeting the Energy Industry Vertical, taking advantage of this sector’s role in critical national infrastructure. In April specifically, Energias de Portugal, a major player in the energy industry that operates in 19 countries across four continents reported suffering a ransomware attack from the Ragnar Locker ransomware family. In addition to encrypting data, the ransomware operators exfiltrated 10 TB of data and threatened to ‘publish this Leak in Huge and famous journals and blogs, also we will notify all your clients, partners and competitors’. The ransom demand in this attack was 1580 Bitcoins which, at the time of writing, converts to approximately $15 million.

All indicators considered, this was not an attack against service availability. The attack did not affect energy supply to customers. The ransomware operators targeted, exfiltrated and encrypted sensitive data, but fell short of impacting vital operations systems. It is difficult to evaluate whether this was done on purpose, but this Modus Operandi might be explained by the fact that ransomware operators mainly consists of cyber-criminal gangs, whose primary goal is monetization.

They will therefore execute actions leading to that goal: ransom payment. A severe blow to the targeted victim, such as a total and disastrous impact with unavailability of all systems, might work against the ransom being paid. The reason behind it is that in the critical infrastructure realm service availability is a priority function. An attack that completely knocks out, for example, an electric supplier is likely going to trigger government contingency plans on the electric grid to minimize the risk of blackouts and outages. This would remove the immediate urgency factor which could lead the victim to focus on slowly re-building the network infrastructure rather than paying the ransom for immediate decryption.

Other ransomware victims in the Energy Industry Vertical have not been so ‘lucky’. In February, the US Cybersecurity and Infrastructure Security Agency (CISA) responded to a ransomware attack targeting an undisclosed natural gas compression facility. In this attack, the ransomware operators first breached the information technology (IT) network and then pivoted to the operational technology (OT) network where the Industrial Control Systems (ICS) reside. This attack caused the facility operators to lose visibility on the OT devices. It is worth noting that the ransomware operators never managed to impact programmable logic controllers (PLCs), as the ransomware was designed to target Windows systems, which the PLCs were not.

Upon a closer look, OT systems are unlikely to avoid compromise: In February, researchers from Dragos identified a variant of the Ekans ransomware designed to target Industrial Control Systems. This ransomware variant has the capability of deploying on Windows machines in the IT network and can also run and manipulate data on OT systems, with the capability of terminating 60 industrial processes from multiple ICS vendors such as GE and Honeywell. This latest Ekans ransomware variant has not yet been leveraged in a cyber-attack in the wild, but it is currently available for sale on underground markets.

The impact of a ransomware attack targeting OT systems can be extremely severe as, depending on the victim, it could bring about massive blackouts, outages and kinetic damage by targeting ICS systems.

As the ransomware landscape swiftly evolves, 2020 saw new Modus Operandi being put into place by ransomware operators to maximize the monetization effort. As we saw in the case of the ransomware attack against EDP, in addition to encrypting the data, ransomware operators are exfiltrating data and using it for further monetization purposes. These are new techniques that are becoming common in ransomware attacks. One technique consists in using the threat of leaking the data as an additional leverage to subdue the victim into paying the ransom. Another technique simply consists of selling the exfiltrated data online in case the ransom is not paid.

A good example of these new trends is the March ransomware attack against Ohio-based LTI Power Systems. In this case, the operators exfiltrated the data in addition to encrypting it locally. The data consisted of schematics and drawings related to two Missouri power plants: Ameren Sioux Power Plant and Labadie Power Plant. This is particularly interesting as it might shed some light on the ransomware operator’s intentions. The ransomware operators might have been interested in simply selling the data for monetization purposes. A more sinister alternative analysis hypothesis suggests that the ransomware operators, or the threat actors purchasing the schematics and drawings, want to familiarize themselves with these two power plants before executing a new cyber-attack or have been conducting operational preparation of the environment. While this hypothesis is speculative and has no corroborating evidence for the time being, it would not be the first time a threat actors purchase data stolen by other threat actors to profile a target.

The energy industry vertical is an extremely important part of any nation’s critical infrastructure. This makes it very appealing to ransomware operators as the vital nature of its services provides further leverage to the ransomware operators in the extortion/monetization process.


Ippolito Forni is a Cyber Threat Analyst at EclecticIQ, provider of intelligence-powered cybersecurity for government organisations and commercial enterprises. EclecticIQ’s solutions are built specifically for analysts across all intelligence-led security practices such as threat investigation, and threat hunting, as well as incident response efforts.
For further information please visit: