{
	"id": "e757d4c3-19d5-4462-a571-92cfdb99c373",
	"created_at": "2026-04-06T00:16:10.095533Z",
	"updated_at": "2026-04-10T03:20:20.608145Z",
	"deleted_at": null,
	"sha1_hash": "721cca8409055a8b7904239b975f5e43a50566c4",
	"title": "RagnarLocker ransomware hits EDP energy giant, asks for \u0026euro;10M",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1993562,
	"plain_text": "RagnarLocker ransomware hits EDP energy giant, asks for \u0026euro;10M\r\nBy Sergiu Gatlan\r\nPublished: 2020-04-14 · Archived: 2026-04-05 17:01:25 UTC\r\nAttackers using the Ragnar Locker ransomware have encrypted the systems of Portuguese multinational energy giant\r\nEnergias de Portugal (EDP) and are now asking for a 1580 BTC ransom ($10.9M or €9.9M).\r\nEDP Group is one of the largest European operators in the energy sector (gas and electricity) and the world's 4th largest\r\nproducer of wind energy.\r\nThe company is present in 19 countries and on 4 continents, it has over 11.500 employees and delivers energy to more than\r\n11 million customers.\r\nhttps://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nAttackers threaten to leak 10 TB of stolen documents\r\nDuring the attack, the Ragnar Locker ransomware operators claim to have stolen over 10 TB of sensitive company files and\r\nthey are now threatening the company to leak all the stolen data unless the ransom is paid.\r\n\"We had downloaded more than 10TB of private information from EDP group servers,\" a new post on Ragnarok's leak site\r\nsays.\r\n\"Below just a couple of files and screenshots from your network only as a proof of possession! At this moment current post\r\nis a temporary, but it could become a permanent page and also we will publish this Leak in Huge and famous journals and\r\nblogs, also we will notify all your clients, partners and competitors. So it’s depend on you make it confidential or public !\"\r\nAmong the already leaked files published as a sign of what's to come, the attackers included an edpradmin2.kdb file which is\r\na KeePass password manager database. \r\nWhen clicked on the leak site, the link leads to a database export including EDP employees' login names, passwords,\r\naccounts, URLs, and notes.\r\nThe Ragnar Locker ransomware sample used in this attack was found by MalwareHunterTeam and BleepingComputer was\r\nable to also find the ransom note and the Tor payment page where the attackers detail the decryption process and the ransom\r\namount.\r\nAccording to the ransom note dropped on the EDP encrypted systems, the attackers were able to steal confidential\r\ninformation on billing, contracts, transactions, clients, and partners.\r\nhttps://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/\r\nPage 3 of 6\n\n\"And be assure that if you wouldn't pay, all files and documents would be publicated for everyones view and also we would\r\nnotify all your clients and partners about this leakage with direct links,\" the ransom note reads.\r\n\"So if you want to avoid such harm for your reputation, better pay the amount that we asking for.\"\r\nEDP taunted in the live chat room\r\nAs also seen BleepingComputer, the Ragnar Locker operators taunted EDP in a live chat \"client room\" used by the attackers\r\nto communicate with their victims, asking them to \"check the article about your company\" on the data leak site and if the\r\ncompany is \"ready to see your private information, at the breaking need, tech-blogs, and stockmarket sites.\"\r\nThey also added that the \"timer is not waiting\" and warned EDP not to attempt to decrypt their data using any other software\r\nbesides the decryption tool provided by the Ragnar Locker operators as they risk damaging or losing it.\r\nThe attackers offered EDP a \"special price\" if they reach out within two days of their systems having been encrypted,\r\nhowever, they also warned that the company will have to wait for their turn as the ransomware's live chat is not online 24/7.\r\nBleepingComputer has reached out to EDP for comment and additional details but had not heard back at the time of this\r\npublication. This article will be updated when a response is received.\r\nDelivered via MSP enterprise support tools\r\nRagnar Locker ransomware was first spotted while being used as part of attacks against compromised networks towards the\r\nend of December 2019.\r\nThe Ragnar Locker operators target software regularly used by managed service providers to prevent their attack from being\r\ndetected and blocked.\r\nKyle Hanslovan, the CEO of MSP security firm Huntress Labs, told BleepingComputer in February of his company seeing\r\nRagnar Locker being deployed via the MSP software ConnectWise.\r\nhttps://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/\r\nPage 4 of 6\n\nAfter reconnaissance and pre-deployment stages, the attackers drop a highly targeted ransomware executable that adds\r\nspecific extension to encrypted files, features an embedded RSA-2048 key, and drops custom ransom notes.\r\nThe ransom notes include the victim's company name, a link to the Tor site, and the data leak site with the victim's published\r\ndata.\r\nBleepingComputer has previously seen multiple ransom notes for Ragnar Locker with ransoms ranging from $200,000 to\r\nroughly $600,000.\r\nUpdate April 16, 09:21 EDT: An EDP spokesperson told BleepingComputer that the attack did not impact the company's\r\npower supply service and critical infrastructure.\r\nEDP was the target of a computer attack on its corporate network this Monday, April 13th, which conditioned part of its\r\nservices and operations. The power supply service and critical infrastructure, however, have never been compromised and\r\nwe continue to ensure this operation as normal.\r\nThe situation is currently being assessed and we have teams dedicated to restoring the normal functioning of the systems as\r\nsoon as possible, which is our priority.\r\nEDP is working with the authorities, that were immediately notified of the attack to identify the origin and anatomy of the\r\nattack. At this moment, we have no knowledge of this alleged ransom demand - we have only seen this information\r\ndisclosed in the media, which we cannot verify.\r\nhttps://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/\r\nhttps://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/"
	],
	"report_names": [
		"ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m"
	],
	"threat_actors": [],
	"ts_created_at": 1775434570,
	"ts_updated_at": 1775791220,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/721cca8409055a8b7904239b975f5e43a50566c4.pdf",
		"text": "https://archive.orkl.eu/721cca8409055a8b7904239b975f5e43a50566c4.txt",
		"img": "https://archive.orkl.eu/721cca8409055a8b7904239b975f5e43a50566c4.jpg"
	}
}