Cyber Incident Victim: Empresas Públicas de Medellín
Date:
Dec 2022
Location:
Colombia
Summary
Empresas Públicas de Medellín (EPM), a major Colombian public utility provider, suffered a BlackCat/ALPHV ransomware attack that disrupted operations, forced remote work for thousands of employees, and took critical IT systems and customer service portals offline. The attackers deployed ExMatter data-theft tools to exfiltrate corporate information from over 40 internal devices, leveraging double-extortion tactics by threatening to release stolen data unless ransom demands were met. Forensic evidence indicated the intrusion originated internally from EPM's Ituango Central facility, specifically targeting servers supporting prepaid energy services and attempting to sabotage the plant's operational launch. The company activated a crisis committee with external cybersecurity experts and law enforcement to investigate the breach while maintaining essential utility services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 12, 2022, Colombian public utility company Empresas Públicas de Medellín (EPM) suffered a ransomware attack attributed to the BlackCat/ALPHV operation. The attack began with unauthorized encryption of corporate systems and data theft, causing immediate operational disruptions. EPM shut down customer service offices and instructed approximately 4,000 employees to work remotely as a precautionary measure while IT infrastructure remained offline. The company's websites became inaccessible, forcing EPM to implement alternative payment methods for customers. Initial assessments indicated the ransomware compromised 25% of the corporate infrastructure and impacted an alternate data center. Despite these disruptions, EPM confirmed that core utility services—energy, water, and gas delivery—remained operational throughout the incident. The Prosecutor's Office of Colombia subsequently verified the attack involved ransomware that encrypted devices and exfiltrated data.
Technical evidence revealed the attackers used BlackCat's ExMatter data-theft tool to extract corporate information before deploying encryption. Security researchers identified an ExMatter sample uploaded from Colombia that transferred stolen data to poorly secured servers, with folder names beginning with "EPM-" corresponding to the company's device naming conventions. Preliminary forensic analysis suggested the attack originated internally from servers named "Consolcio" within EPM's Ituango Central hydroelectric facility, with indications that the ransomware's deployment aimed to disrupt the plant's operational launch. EPM established a crisis committee involving cybersecurity firms Indra, IBM, and Microsoft, alongside Colombian law enforcement, to conduct forensic examinations and assess damage. The company initiated root cause analysis, infrastructure hardening, and policy reviews while coordinating with the Prosecutor's Office on the criminal investigation. Broader context showed escalating ransomware threats in Colombia, with 54,121 cybercrime reports filed by October 2022—a 30% annual increase—including prior attacks against healthcare provider Keralty and repeated 2020 ransomware incidents targeting energy firm Enel Group.