In April 2023, EDP Renewables North America (EDPR NA) fell victim to a sophisticated ransomware attack that compromised its information systems. The incident, which was initially detected on April 13, involved the deployment of Ragnar Locker ransomware, a notorious strain known for its stealthy operation techniques. This cyber assault prompted the attackers to demand a ransom of 1,580 bitcoins—valued at over $10 million—while threatening to expose sensitive company data related to billing, contracts, and client information. Following the breach, EDPR NA quickly initiated a thorough investigation with the help of cybersecurity experts and law enforcement, revealing that unauthorized access to critical data had occurred. Although the company assured customers that there was no evidence of personal information being accessed, the potential implications of the attack raised significant concerns about data security and privacy.

• EDP Renewables North America (EDPR NA) was hit by a ransomware attack on April 13, 2023, affecting its information systems.
• Ragnar Locker ransomware was deployed, leading to the encryption of critical data and systems, rendering them inaccessible.
• Attackers demanded a ransom of 1,580 bitcoins, estimated at over $10 million, threatening to release stolen confidential information related to billing, contracts, and clients.
• While the company stated there’s no evidence of personal customer information being accessed, the attack still raised significant security concerns.
• The organization faced operational disruption, including:
  • Inability to access vital data for customer inquiries and service delivery.
  • Increased workload for IT and security teams to investigate and mitigate the breach.
  • Deployment of new security measures, such as multifactor verification, to prevent future incidents.
• Direct financial costs include potential ransom payments, increased cybersecurity expenses, and resources allocated for incident response and customer support services.

The ransomware attack on EDP Renewables North America (EDPR NA) was likely facilitated through vulnerabilities in their information systems, potentially involving exploits of managed service providers or weaknesses in Windows Remote Desktop Protocol (RDP) connections. The Ragnar Locker ransomware, which was utilized in this attack, runs as a full virtual machine on infected devices, evading detection by traditional security software.

Once attackers gained unauthorized entry, they likely achieved administrator-level access within the network, allowing them to move laterally across systems using native Windows administrative tools like PowerShell and Group Policy Objects (GPOs). This lateral movement enabled them to access critical data, including billing, contracts, and client information. The attackers then demanded a ransom of 1580 bitcoins, threatening to publicly release the stolen data if their demands were not met. The incident underscores the importance of robust cybersecurity measures, regular system updates, and employee training to mitigate the risk of similar attacks in the future.

The initial response by EDP Renewables North America (EDPR NA) involved immediate investigation with the assistance of leading computer forensic experts. Upon discovering the ransomware attack, the parent corporation promptly engaged relevant law enforcement authorities to address the incident.

The malware, identified as Ragnar Locker ransomware, was detected through the company's monitoring systems, which alerted them to unauthorized access to their information systems. Once identified, EDPR NA initiated a triage process to assess the extent of the infection and its potential impact. This included isolating affected systems to prevent further spread, conducting a thorough analysis of compromised data, and implementing enhanced security measures.

To mitigate future risks, EDPR NA introduced new IT processes and login requirements, including multifactor authentication, aimed at bolstering security protocols and limiting unauthorized access. The company also worked diligently to identify individuals potentially affected by the breach, ensuring a swift response to protect sensitive information.