The BlackCat ransomware group took responsibility for a hack against Creos Luxembourg S.A. days ago. In the European country, Creos operates an electrical network and a natural gas pipeline.
Encevo, the company that owns Creos, disclosed on July 25 that a cyberattack conducted over the weekend of July 22–23. There was no delay in the services offered despite the cyberattack making Encevo and Creos’ consumer portals inaccessible.
In a press statement, the company clarified:
We thus confirm that the different firms of the Encevo Group have been the victim of a BlackCat ransomware after the notification of Monday, July 25, and in compliance with our legal disclosure requirements. Several pieces of data were stolen from computer systems or made unavailable during this attack by hackers.
The company updated its website on July 28 with the preliminary findings of their investigation into the incident. This demonstrated that the accessible computers contained “some data” that the network hackers had exfiltrated.
Customers were then advised to wait until the investigations were over before contacting them individually. Encevo stated that if further details become available, they would be released on website for the hack.
This process most likely still is under progress because no new updates have been published on Encevo’s media webpage. While this was happening, it was advised that all clients change their online login information for Encevo and Creos services.
BlackCat still active
On Saturday, the BlackCat ransomware group added Creos to its ransom website. They threatened to disclose 180,000 stolen information totalling 150 GB in size, including contracts, agreements, passports, invoices, and emails.
The attackers warned they would reveal the data later on Monday, but no specific time was given for the execution of their threat. To put further pressure on its victims to pay a ransom, ALPHV/BlackCat has recently introduced a new extortion portal where they make stolen data searchable by visitors.
BlackCat keeps coming up with new methods for data extortion, yet never seem to learn from their failures, and keeps picking on well-known companies, which could well put them in the sights of international law enforcement organisations.
BlackCat is thought to be the renamed version of DarkSide, a ransomware organisation that was forced to shut down after attacking Colonial Pipeline with considerable media attention. To avoid government enforcement after closing DarkSide, the group changed its name to BlackMatter, but as pressure mounted, the gang once more crumbled.
Threat actors have a preference to avoid major American targets in favour of European institutions including Austrian governments, Italian fashion retailers, and a Swiss airport service provider since November 2021, when they relaunched as BlackCat/ALPHV.
They seem to have failed to learn from their failures since they continue to attack important infrastructure, as seen in their attacks on Creos Luxembourg and the German oil tanker company Oiltanking in February.
Help your colleagues spot these phishing emails by starting your Phishing Tackle security awareness training today with our two-week free trial.