Pierluigi Paganini August 01, 2022

The ALPHV/BlackCat ransomware gang claims to have breached the European gas pipeline Creos Luxembourg S.A.

The ALPHV/BlackCat ransomware gang claims to have hacked the European gas pipeline Creos Luxembourg S.A.

Creos Luxembourg S.A. owns and manages electricity networks and natural gas pipelines in the Grand Duchy of Luxembourg. In this capacity, the company plans, constructs and maintains high, medium and low-voltage electricity networks and high, medium and low-pressure natural gas pipelines, which it owns or which it is responsible for managing.

The ALPHV/BlackCat ransomware group claims to have stolen more than 150 GB from the company, a total of 180.000 files. Stolen data include contracts, agreements, passports, bills, and emails.

The company Encevo, which owns the majority of Creos, published a security advisory to announce that the gas pipeline form has suffered a cyber attack that took place between July 22 and 23. Encevo registered a complaint with the Police of the Grand Duchy and of course notified the CNPD (National Commission for Data Protection), the ILR (Luxembourg Institute of Regulation) and the competent ministries.

“The Encevo Group would like to inform that its Luxembourg entities Creos (network operator) and Enovos (energy supplier) were victims of a cyberattack on the night of July 22 to 23, 2022. The Encevo Group crisis unit was triggered immediately and the situation is currently under control. We are in the process of gathering all the elements necessary for the understanding and complete resolution of the incident.” reads the announcement. “However, this attack has a negative impact on the operation of the Creos and Enovos customer portals.”

Creos and Enovos pointed out that the cyberattack did not impact the supply of electricity and gas and that the breakdown service is guaranteed.

On July 28, Encevo Group published a new announcement confirming that threat actors have exfiltrate data from its systems.

“Following the announcement of Monday, July 25 and in accordance with our legal information obligations, we confirm that the various entities of the Encevo Group have been the victim of a Cyber-attack. During this attack, a number of data were exfiltrated from computer systems or made inaccessible by hackers.”

For the moment, Encevo Group is investigating the incident to determine potentially impacted individuals. The company is asking its customers not to contact the group’s services on this subject for the time being, it set up a website (https://www.encevo.eu/en/encevo-cyberattack/)that will be updated as the situation evolves.

In early July, BlackCat (aka ALPHV) Ransomware gang introduced an advanced search by stolen victim’s passwords, and confidential documents.

Resecurity (USA), a Los Angeles-based cybersecurity company protecting Fortune 500 companies, has detected a significant increase in the value of ransom demand requests by the notorious Blackcat ransomware gang.

Based on the observed recently compromised victims based in the Nordics region (which haven’t been disclosed by the group yet) the amount to be paid exceeds $2 million. One of the tactics used offers close to 50% discount to the victim in the case they are willing to pay – several ransom demands valued at $14 million were decreased to $7 million, but such amounts are still complicated for enterprises facing cybersecurity incidents. The most common ransom demand practiced by BlackCat jumped up to $2.5 million and it seems its trajectory will only grow.

The average ransomware payment climbed 82% since 2020 to a record high of $570,000 in the first half of 2021, and then by 2022 it almost doubled. 

BlackCat has been operating since at least November 2021, and launched major attacks in January to disrupt OilTanking GmbH, a German fuel company, and in February 2022, the attack on an aviation company, Swissport. The group is targeting high-profile businesses in critical industries including energy, financial institutions, legal services, and technology.

Blackcat ransomware is one of the fastest-growing Ransomware-as-a-Service (RaaS) underground groups practicing so called “quadruple extortion” by pressing victims to pay – leveraging encryption, data theft, denial of service (DoS) and harassment.

The BlackCat is also known as “ALPHV”, or “AlphaVM” and “AphaV”, a ransomware family created in the Rust programming language. The group’s leader with identical alias in communications on Dark Web forums outlined Rust as one of the competitive advantages of their locker compared to Lockbit and Conti. Despite the fact Blackcat and Alpha have completely different URLs in TOR Network, the scripting scenarios used on their pages are identical, and likely developed by the same actors.

The group was the pioneer of search in the indexed stolen data – allowing customers and employees of the affected companies to check exposed data.

 In a recent post from 10 Jul 2022, 15:35 pm in Dark Web, “ALPHV” introduced search not only by text signatures, but also supporting tags for search of passwords and compromised PII. It seems that some of the stolen files are still under indexing, but majority is already available for quick navigation. There were over 2,270 indexed documents identified containing access credentials and password information in plaintext, and over 100,000 documents containing confidential marking, including indexed e-mail communications and sensitive attachments.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Creos Luxembourg)

[adrotate banner=”5″]

[adrotate banner=”13″]