Italy-based Enel Group has become the latest organization to fall victim to a ransomware attack. On Thursday, June 11, Bleeping Computer reported that the energy company had its internal network impacted by EKANS (SNAKE) ransomware operators.
As revealed by the online news site, the attack was first detected on June 7. The incident, however, was said to have been caught by the company’s antivirus “before the malware could spread.” As an effort to limit the impact of the attack, the energy firm also temporarily isolated its corporate network.
“The Enel Group informs that on Sunday evening there was a disruption on its internal IT network, following the detection, by the antivirus system, of a ransomware. As a precaution, the Company temporarily isolated its corporate network in order to carry out all interventions aimed at eliminating any residual risk,” said a spokesperson from Enel.
“The connections were restored safely on Monday early morning,” he added. “Enel informs that no critical issues have occurred concerning the remote control systems of its distribution assets and power plants, and that customer data have not been exposed to third parties. Temporary disruptions to customer care activities could have occurred for a limited time caused by the temporary blockage of the internal IT network.”
While the company did not specifically name the ransomware used, security researcher Milkream discovered a SNAKE/EKANS sample submitted to VirusTotal on the same date of the attack, displaying that it checks for the current domain owned by Enel, “enelint.global”.
To date, it is not clear yet how the attackers were able to access the company’s network. However, Bleeping Computer said that common points of infiltration usually involve exposed remote desktop connections (RDP).
“One of the things that sets the EKANS malware, which was reportedly used in the Enel ransomware attack, apart is a relatively high amount of manual effort/targeting typically involved in the operator placement activity, which can sometimes enable them to have a bigger impact on the victims,” quoted SC Magazine from Oleg Kolesnikov, VP of Threat Research and head of Securonix Research Lab, Securonix, who gave his comments on the recent incident via email.
“The same malware was recently used on a ransomware attack against car manufacturer Honda. With some of the recent attacks observed, it appears that the malicious threat actors are expanding the list of targets to manufacturing and critical infrastructure,” continued.
