Encevo Group, an energy corporation based in Luxembourg, is dealing with an ongoing cyberattack by ransomware-as-a-service gang BlackCat. Some digital services are still disrupted 12 days after the attack began, but the company says that energy supply has not been affected. BlackCat is believed by researchers to retain hackers of DarkSide, the now-defunct ransomware group that attacked US gas provider Colonial Pipeline in 2021.
Encevo Group cyberattack: In a dark web blog post on 29 July, BlackCat, also known as AlphV, claimed to have stolen 150Gb of data from Encevo Group, including contracts, agreements, passports, bills and emails. “At Monday we gonna publish the data we have,” it said, presumably having demanded a ransom. Encevo Group revealed last week that two of its subsidiaries, electricity network and gas pipeline operator Creos and energy supplier Enovos, suffered a cyberattack on the night of 22 July, ‘negatively impacting’ their customer-facing portals. It later confirmed that “a number of data were exfiltrated from computer systems or made inaccessible by hackers,” during the attack. “The group is currently making every effort to analyze the hacked data,” it said. “For the moment, the Encevo Group does not yet have all the information necessary to personally inform each person concerned.” As of 1 August, Evovos’ customer portal is still unavailable, citing a “technical problem.”
BlackCat / AlphV is a strain of ransomware that encrypts files using AES encryption, according to research by security company Emsisoft. It was first detected in November 2021 and quickly claimed dozens of victims within its first few months of operation. Emsisoft estimates that there may have been a total of 776 AlphV incidents since the ransomware’s inception. Last week, the group behind the BlackCat ransomware claimed Indian IT services company SRM Technologies as its latest victim, taunting the company’s head of cloud infrastructure on LinkedIn after the attack. It has also been linked to recent attacks on video game companies Bandai Namco and Roblox. BlackCat is likely a rebrand of a ransomware group known as BlackMatter, Emsisoft says, which in turn was a rebrand of DarkSide, the group notorious for its attack on US gas provider Colonial Pipeline last year. The Colonial Pipeline attack led to US president Joe Biden calling a national state of emergency. The ensuing crackdown by international law enforcement has disrupted many established ransomware groups, prompting an evolution of their tactics.
Red Sky Alliance reported on Black Cat: 14 December 2021 - https://redskyalliance.org/xindustry/blackcat-is-no-nice-kitty and
29 April 2022 - https://redskyalliance.org/xindustry/the-cat-came-back
Energy suppliers are frequent targets for ransomware groups, given their economic value and potential for disruption. In the UK, energy companies suffered 24% of all cyberattacks last year, according to IBM’s threat intelligence research, more than any other sector. IBM has also found that data breaches cost critical national infrastructure operators, such as energy providers, $1m more on average than other companies. This is in spite of the fact they typically detect and respond to data breaches faster than peers in other sectors.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings