Cyber Incident Victim: Enel Group

On June 7, 2020, Enel Group detected a ransomware attack disrupting its internal IT network after antivirus systems identified the threat before widespread encryption occurred. The incident involved the Snake (EKANS) ransomware, which terminated processes linked to industrial control systems (ICS) and SCADA operations, marking the first observed ransomware targeting such critical infrastructure. As a precautionary measure, Enel isolated its corporate network to conduct risk mitigation procedures, restoring all connectivity safely by the following morning. The company confirmed no compromise of remote control systems for power plants or distribution assets, nor exposure of customer data. Temporary disruptions to customer care services occurred due to the network isolation but were resolved promptly. Security researcher Milkream identified a Snake ransomware sample uploaded to VirusTotal on June 7 containing checks for Enel’s internal domain "enelint.global," confirming the malware’s customization for Enel’s environment.

The attack vector remains unspecified in public disclosures, though exposed Remote Desktop Protocol (RDP) connections on "enelint.global" were identified by security researchers as a potential entry point, consistent with Snake’s prior attack on Honda’s similarly exposed "mds.honda.com" domain. Enel did not confirm whether data exfiltration occurred but emphasized no operational or customer data breaches. Snake’s execution relied on verifying internal network domains and IP addresses, failing to encrypt if checks were unmet, which limited its impact in this case. Industrial cybersecurity firm Dragos confirmed Snake’s unique focus on ICS disruption, though Enel’s containment prevented operational interference. Production and customer services resumed without prolonged downtime, reflecting rapid incident response. Both Enel and Honda declared the attacks unsuccessful, though the duration of attacker presence pre-detection remains unconfirmed.