Cyber Incident Victim: Energias de Portugal

On or around April 13, 2020, the RagnarLocker ransomware operators encrypted systems belonging to Energias de Portugal (EDP), a multinational energy conglomerate operating across 19 countries with over 11,500 employees and 11 million customers. The attackers demanded a ransom of 1580 Bitcoin (approximately €9.9 million or $10.9 million) to decrypt the compromised systems and prevent the public release of stolen data. During the intrusion, the threat actors exfiltrated over 10 terabytes of sensitive corporate information, including confidential billing records, contracts, transactional data, and details pertaining to clients and partners. As proof of the theft, the group published a KeePass password database file (edpradmin2.kdb) containing employee credentials, account URLs, and notes on their leak site. The ransomware note explicitly threatened to notify EDP's clients and partners with direct links to the leaked data if payment was not made, while offering a "special price" for prompt contact within two days of encryption—though they cautioned that response times might be delayed due to intermittent live chat availability.

EDP confirmed the attack disrupted internal systems but stated it did not affect power delivery services or critical infrastructure operations. The company engaged law enforcement and cybersecurity authorities to restore encrypted assets, publicly denying awareness of the specific ransom demand. RagnarLocker, first observed in late December 2019, was known for targeting software commonly used by managed service providers to evade detection during network compromises. The incident highlighted risks to global energy sector entities from ransomware groups capable of large-scale data exfiltration and operational disruption. EDP's mitigation efforts focused on system recovery and forensic analysis without publicly disclosing payment of the ransom or further details about data recovery outcomes.