Energias de Portugal (EDP) Fell Victim to the “Ragnar Locker” Ransomware

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

Hackers have managed to cripple the systems of Energias de Portugal (EDP) using the Ragnar Locker ransomware strain. EDP is Portugal’s largest electric and gas energy provider, and also a big player in the Spanish, U.S., Brazilian, and South Chinese market. That said, the ransom that the actors are asking for now is naturally a hefty one, set at 1,580 BTC, which is the equivalent of approximately $10.8 million. In addition to locking files, the attackers have also exfiltrated the data, and they are now threatening to leak sensitive documents.

This continues the trend of ransomware actors who are not limited to infecting the victim’s systems but also engage in continual extortion by using stolen files. In this particular case, the actors have seized more than ten terabytes of data, some of which EDP would prefer to keep private. The hackers have even published screenshots of the stolen files to prove that they indeed possess the claimed contracts, billing details, transactions, etc.

Leak site

Source: Bleeping Computer

They are now threatening to publish the files in various online blogs and journals, while also notifying all of EDP’s clients, partners, and competitors. It is a catastrophic development for the energy giant, who is now forced to negotiate with unreliable crooks. Even if the company decides to pay the ransom, there’s nothing that would guarantee the confidentiality of the stolen data.

The actors plan to leak the stolen files in parts, and from what they unveiled in the published images, they hold password manager databases, employees’ network login credentials, notes, URLs, and other sensitive data that they have neatly bundled in individual packs. As for the ransom note to EDP, this is given below. In it, the actors provide instructions on how to respond to this crisis, offering a secure communication portal via a chat room. EDP’s agents are even advised to be patient, as the actors aren’t in the chat room 24/7.

ransom note

Source: Bleeping Computer

We are pretty sure that those who determine the cyber-security budget in EDP are now dealing with a blow of regret and contrition, but they should have known better. Ragnar Locker has been attacking large corporations for over four months now, delivered via MSP enterprise support tools like ConnectWise and Kaseya remote management software solutions. EDP had the time to mitigate these risks and should have paid attention to the news when the actors were requesting $200k to $600k. Not doing so will now cost them millions in ransom payments, business disruption, confidential data exposure, and IT systems cleanup.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: