Encevo Group, an energy conglomerate based in Luxembourg, is battling an ongoing cyberattack by ransomware-as-a-service gang BlackCat. Some digital services are still disrupted 12 days after the attack began, although the company says that energy supply has not been affected.
BlackCat is believed by researchers to include members of DarkSide, the now-defunct ransomware group that attacked US gas provider Colonial Pipeline last year, prompting a crackdown by international law enforcement.
Encevo Group cyberattack: how did it happen?
In a dark web blog post on Friday, BlackCat – also known as AlphV – claimed to have stolen 150Gb of data from Encevo Group, including contracts, agreements, passports, bills and emails. “At Monday we gonna publish the data we have,” it said, presumably having demanded a ransom.
Encevo Group revealed last week that two of its subsidiaries – electricity network and gas pipeline operator Creos and energy supplier Enovos – suffered a cyberattack on the night of 22 July, ‘negatively impacting’ their customer-facing portals.
It later confirmed that “a number of data were exfiltrated from computer systems or made inaccessible by hackers,” during the attack. “The group is currently making every effort to analyse the hacked data,” it said. “For the moment, the Encevo Group does not yet have all the information necessary to personally inform each person concerned.”
As of this morning, Evovos’ customer portal is still unavailable, citing a “technical problem”.
What is BlackCat?
BlackCat / AlphV is a strain of ransomware that encrypts files using AES encryption, according to research by security company Emsisoft. It was first detected in November 2021 and quickly claimed dozens of victims within its first few months of operation. Emsisoft estimates that there may have been a total of 776 AlphV incidents since the ransomware’s inception.
Last week, the group behind the BlackCat ransomware claimed Indian IT services company SRM Technologies as its latest victim, taunting the company’s head of cloud infrastructure on LinkedIn after the attack. It has also been linked to recent attacks on video game companies Bandai Namco and Roblox.
BlackCat is likely a rebrand of a ransomware group known as BlackMatter, Emsisoft says, which in turn was a rebrand of DarkSide, the group notorious for its attack on US gas provider Colonial Pipeline last year. The Colonial Pipeline attack led to US president Joe Biden calling a national state of emergency. The ensuing crackdown by international law enforcement has disrupted many established ransomware groups, prompting an evolution of their tactics.
Energy suppliers are frequent targets for ransomware groups, given their economic value and potential for disruption. In the UK, energy companies suffered 24% of all cyberattacks last year, according to IBM’s threat intelligence research, more than any other sector.
IBM has also found that data breaches cost critical national infrastructure operators, such as energy providers, $1m more on average than other companies. This is in spite of the fact they typically detect and respond to data breaches faster than peers in other sectors.