Sodinokibi ransomware operators leak files stolen from Elexon electrical middleman

Pierluigi Paganini June 02, 2020

The REvil/Sodinokibi ransomware operators have leaked the files allegedly stolen from the UK power grid middleman Elexon.

In May Elexon, a middleman in the UK power grid network, was the victim of a cyber attack, its systems have been infected with the Sodinokibi ransomware.

The incident impacted only affected the internal IT network, including the company’s email server, and employee laptops

“Hackers have targeted a critical part of the UK’s power network, locking staff out of its systems and leaving them unable to send or receive emails.” reads a post published by The Telegraph.

“Elexon – a key player in the energy market between power station operators and firms that supply households and businesses – said in a statement that its internal systems and company laptops had been affected by the cyberattack. It declined to give further details.”

The company manages electricity supply and demand and distributes the power around the network according to the demand.

“We are advising you that today that ELEXON’s internal IT systems have been impacted by a cyber attack. BSC Central Systems and EMR are currently unaffected and working as normal. The attack is to our internal IT systems and ELEXON’s laptops only.” reads a post published by the company on its website. “We are currently working hard to resolve this. However please be aware that at the moment we are unable to send or receive any emails.”

The company took down the email server in response to the attack, according to Elexon, the systems use to manage the UK’s electricity transit were not impacted.

The company published a second message to announce that it has discovered the root cause of the incident, and that is was working to restore the internal network and employee laptops. Elexon also added that the BSC Central Systems (and their data) and EMR were not impacted and are continuing to work as normal. 

Two weeks later, Sodinokibi operators published 1,280 files allegedly stolen from the company on their leak site. The files contain passports of Elexon staff members and an apparent business insurance application form. 

Even if the company did not reveal details on the attack, experts from security firm Bad Packets reported that Elexon had been running an outdated version of Pulse Secure VPN server, if confirmed threat actors could have exploited it to access the internal network.

Elexon did not pay the ransom and restored operation from backups, for this reason, Sodinokibi operators decided to leak the stolen files.

Recently Sodinokibi ransomware group claimed to have stolen gigabytes of legal documents from the entertainment and law firm Grubman Shire Meiselas & Sacks (GSMLaw) that has dozens of international stars and celebrities among its clients.

The list of clients of the law firm includes famous artists like Chris Brown, Madonna, Lady Gaga, Nicki Minaj, Elton John, Timbaland, Robert de Niro, Usher, U2, and Timbaland.

Sodinokibi isn’t the unique ransomware gang that is threatening to publish data of the victims to force to pay the ransom, other gangs are DopplePaymerMazeNefilimNemtyRagnarLocker, and NetWalker.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Sodinokibi, cybersecurity)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment