Netwalker ransomware hit K-Electric, the major Pakistani electricity provider

Pierluigi Paganini September 09, 2020

K-Electric, the electricity provider for the city of Karachi, Pakistan, was hit by a Netwalker ransomware attack that blocked billing and online services.

K-Electric, the electricity provider for Karachi (Pakistan) is another victim of the Netwalker ransomware gang, the infection disrupted billing and online services.

K-Electric (KE) (formerly known as Karachi Electric Supply Company / Karachi Electric Supply Corporation Limited) is a Pakistani investor-owned utility managing all three key stages – generation, transmission and distribution – of producing and delivering energy to consumers.

K-Electric is the largest power supplier in the country with 2.5 million customers and around 10,000 people.

Starting on September 7, the customers of the company were not able to access the services for their accounts. The good news is that the power supply has not been affected. In response to the incident, K-Electric is attempting to reroute users through a staging site, but the problems have yet to be solved.

The news of the incident was first reported by BleepingComputer which was informed by the ransomware researcher Ransom Leaks.

“Ransomware researcher Ransom Leaks, who told BleepingComputer about this attack, was tipped off by a local Pakistani security company that this attack is impacting K-Electric internal services.” reported BleepingComputer.

After being informed about this ransomware attack, security researchers confirmed that the Netwalker ransomware operators were behind the attack.

Netwalker ransomware operators are demanding the payment of $3,850,000 worth of Bitcoin. As usual, if the company will not pay the ransom within another seven days, the ransom will increase to $7.7 million.

Source BleepingComputer

The gang also claimed on the ‘Stolen data’ page of their Tor leak site that they have stolen unencrypted files from K-Electric before encrypting its systems. At the time it is not clear how many documents were stolen and which kind of information they contained.

Recently the Netwalker ransomware operators hit Argentina’s official immigration agency, Dirección Nacional de Migraciones, the attack caused the interruption of the border crossing into and out of the country for four hours.

Another victim of the group is the University of California San Francisco (UCSF), who decided to pay a $1.14 million ransom to recover its files.

Recently the FBI has issued a security alert about Netwalker ransomware attacks targeting U.S. and foreign government organizations.

The feds are recommending victims, not to pay the ransom and reporting incidents to their local FBI field offices.

The flash alert also includes indicators of compromise for the Netwalker ransomware along with mitigations.

The FBI warns of a new wave of Netwalker ransomware attacks that began in June, the list of victims includes the UCSF School of Medicine and the Australian logistics giant Toll Group.

The Netwalker ransomware operators have been very active since March and also took advantage of the ongoing COVID-19 outbreak to target organizations.

The threat actors initially leveraged phishing emails delivering a Visual Basic Scripting (VBS) loader, but since April 2020, Netwalker ransomware operators began exploiting vulnerable Virtual Private Network (VPN) appliances, user interface components in web apps, or weak passwords of Remote Desktop Protocol connections to gain access to their victims’ networks.

Recently the Netwalker ransomware operators were looking for new collaborators that can provide them with access to large enterprise networks. 

Below the recommended mitigations provided by the FBI:

  • Back-up critical data offline.
  • Ensure copies of critical data are in the cloud or on an external hard drive or storage device.
  • Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
  • Install and regularly update anti-virus or anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks.
  • Consider installing and using a VPN.
  • Use two-factor authentication with strong passwords.
  • Keep computers, devices, and applications patched and up-to-date.
[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Netwalker)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment