Cyber Incident Victim: Enel Group
Date:
Oct 2020
Location:
Italy
Summary
Enel Group suffered a ransomware attack by Netwalker operators demanding $14 million to decrypt systems and prevent release of stolen data. This marked the second such incident targeting the multinational energy firm within months, with attackers exfiltrating approximately 5 terabytes of sensitive information. After the company failed to engage, the ransom doubled, and the threat actors published proof of compromised files, threatening incremental leaks to coerce payment. The group publicly confirmed the victim’s identity and utilized a dedicated leak site to escalate pressure tactics.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Enel Group, a multinational energy company serving over 61 million customers across 40 countries, experienced two ransomware incidents in 2020. The first occurred in early June when Snake ransomware (also known as EKANS) infiltrated Enel's internal network. This attack was contained before the malware could propagate further. The second incident began on or around October 19, 2020, when the Netwalker ransomware group compromised Enel's systems. Researchers identified the attack after analyzing a Netwalker ransom note shared on October 19, which included a link to stolen data samples hosted on prnt[.]sc. Folder names within these samples contained references to Enel employees, confirming the company's involvement. Netwalker operators demanded an initial ransom of $14 million (equivalent to 1,234.0238 Bitcoin) for both a decryption key and a promise not to leak several terabytes of stolen corporate data.
The attackers escalated pressure tactics when Enel failed to engage in negotiations through Netwalker's private support chat. By October 27, the ransom demand had doubled due to the lack of communication, consistent with Netwalker's typical operational pattern. The group publicly confirmed Enel as their victim by modifying their support chat message to read "Hello Enel. Dont be afraid to write us." On the same date, Netwalker added Enel to their dedicated data leak site, publishing screenshots of unencrypted files as proof of exfiltration. The group claimed possession of approximately 5 terabytes of sensitive corporate data and announced plans to release a portion publicly within one week if unpaid. They further threatened to analyze all stolen files for "interesting things" to publish incrementally, a strategy designed to coerce payment through reputational and operational damage. Enel did not publicly acknowledge the attack despite multiple outreach attempts by media outlets, and no evidence suggested the company paid the ransom or recovered data through negotiation. The incident exposed vulnerabilities in Enel's cybersecurity defenses less than five months after the prior Snake ransomware attempt.