Pierluigi Paganini October 01, 2020

K-Electric, Pakistan’s largest private power company, did not pay the ransom and the Netwalker ransomware operators have leaked the stolen data.

In early September, K-Electric (KE), the electricity provider for the city of Karachi, Pakistan, was hit by a Netwalker ransomware attack that blocked billing and online services.

K-Electric is the largest power supplier in the country with 2.5 million customers and around 10,000 people.

Starting on September 7, the customers of the company were not able to access the services for their accounts. The good news is that the power supply has not been affected. In response to the incident, K-Electric is attempting to reroute users through a staging site, but the problems have yet to be solved.

The news of the incident was first reported by BleepingComputer which was informed by the ransomware researcher Ransom Leaks.

After being informed about this ransomware attack, security researchers confirmed that the Netwalker ransomware operators were behind the attack.

Netwalker ransomware operators are demanding the payment of $3,850,000 worth of Bitcoin. As usual, if the company will not pay the ransom within another seven days, the ransom will increase to $7.7 million.

The gang also claimed on the ‘Stolen data’ page of their Tor leak site that they have stolen unencrypted files from K-Electric before encrypting its systems. At the time it is not clear how many documents were stolen and which kind of information they contained.

News of the day is that Netwalker ransomware operators have released the victim’s data stolen during the attack, an 8.5 GB archive.

Researchers from cybersecurity firm Rewterz, who analyzed the content of the archive, told BleepingComputer that it contains some company’s sensitive information, including financial data, customer information, engineering reports, engineering diagrams for turbines, maintenance logs, and more.

Experts pointed out that threat actors had access to customer’s personal information that could be used to carry out multiple malicious activities.

Recently the Netwalker ransomware operators hit Argentina’s official immigration agency, Dirección Nacional de Migraciones, the attack caused the interruption of the border crossing into and out of the country for four hours.

Another victim of the group is the University of California San Francisco (UCSF), who decided to pay a $1.14 million ransom to recover its files.

Recently the FBI has issued a security alert about Netwalker ransomware attacks targeting U.S. and foreign government organizations.

The feds are recommending victims, not to pay the ransom and reporting incidents to their local FBI field offices.

The flash alert also includes indicators of compromise for the Netwalker ransomware along with mitigations.

The FBI warns of a new wave of Netwalker ransomware attacks that began in June, the list of victims includes the UCSF School of Medicine and the Australian logistics giant Toll Group.

The Netwalker ransomware operators have been very active since March and also took advantage of the ongoing COVID-19 outbreak to target organizations.

Below the recommended mitigations provided by the FBI:

• Back-up critical data offline.
• Ensure copies of critical data are in the cloud or on an external hard drive or storage device.
• Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
• Install and regularly update anti-virus or anti-malware software on all hosts.
• Only use secure networks and avoid using public Wi-Fi networks.
• Consider installing and using a VPN.
• Use two-factor authentication with strong passwords.
• Keep computers, devices, and applications patched and up-to-date.

Pierluigi Paganini

(SecurityAffairs – hacking, K-Electric)

[adrotate banner=”5″]

[adrotate banner=”13″]