{ "id": "20a7065a-893f-4bdf-ab1c-5eae8df01a50", "created_at": "2026-04-06T00:11:34.794636Z", "updated_at": "2026-04-10T13:11:28.9653Z", "deleted_at": null, "sha1_hash": "f99a174009799491b8f91b9a48e2f9e399dadfc5", "title": "Colombian energy supplier EPM hit by BlackCat ransomware attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2027297, "plain_text": "Colombian energy supplier EPM hit by BlackCat ransomware attack\r\nBy Lawrence Abrams\r\nPublished: 2022-12-16 · Archived: 2026-04-05 14:21:08 UTC\r\nColombian energy company Empresas Públicas de Medellín (EPM) suffered a BlackCat/ALPHV ransomware attack on\r\nMonday, disrupting the company's operations and taking down online services.\r\nEPM is one of Colombia’s largest public energy, water, and gas providers, providing services to 123 municipalities. The\r\ncompany generated over $25 billion in revenue in 2022 and is owned by the Colombian Municipality of Medellin.\r\nOn Tuesday, the company told approximately 4,000 employees to work from home, with IT infrastructure down and the\r\ncompany's websites no longer available.\r\nhttps://www.bleepingcomputer.com/news/security/colombian-energy-supplier-epm-hit-by-blackcat-ransomware-attack/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/colombian-energy-supplier-epm-hit-by-blackcat-ransomware-attack/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nEPM disclosed to local media that they were responding to a cybersecurity incident and provided alternative methods for\r\ncustomers to pay for services.\r\nThe Prosecutor's Office later confirmed to EL COLOMBIANO that ransomware was behind the attack on EPM that caused\r\ndevices to be encrypted and data to be stolen.\r\nHowever, the ransomware operation behind the attack was not disclosed.\r\nBlackCat ransomware behind the attack\r\nBleepingComputer has since learned that the BlackCat ransomware operation, aka ALPHV, was behind the attacks, claiming\r\nto have stolen corporate data during the attacks.\r\nBleepingComputer has also seen the encryptor sample and ransom notes from the EPM attack and has confirmed that they\r\nare from the BlackCat ransomware operation.\r\nEPM ransom note from BlackCat ransomware\r\nSource: BleepingComputer\r\nWhile the ransom note created in the attack states that the threat actors stole a wide variety of data, it should be noted that\r\nthis is the exact text used in all BlackCat ransom notes and is not specific to EPM.\r\nHowever, further discoveries indicate that hackers likely stole quite a bit of data from EPM during the attack.\r\nChilean security researcher Germán Fernández discovered a recent sample of BlackCat's 'ExMatter' data-theft tool, uploaded\r\nfrom Colombia to a malware analysis site.\r\nExMatter is a tool used in BlackCat ransomware attacks to steal data from corporate networks before devices are encrypted.\r\nThis data is then used as part of the ransomware gang's double-extortion attempts.\r\nWhen the tool is run, it will steal data from devices on the network and store it on attacker-controlled servers within folders\r\nnamed after the Windows computer name that it was stolen from.\r\nWhen analyzing the ExMatter tool, Fernández found that it uploaded the data to a remote server that was not adequately\r\nsecured, allowing any visitor to see the data stored on it.\r\nhttps://www.bleepingcomputer.com/news/security/colombian-energy-supplier-epm-hit-by-blackcat-ransomware-attack/\r\nPage 3 of 4\n\nIn the ExMatter variant from Colombia, the data was uploaded into various folders starting with 'EPM-,' as shown below.\r\nFernández told BleepingComputer that these computer names match known computer naming formats used by Empresas\r\nPúblicas de Medellín.\r\nWhile it is unclear how much total data was stolen, Fernández told BleepingComputer that there were a little over 40\r\ndevices listed on the site.\r\nBleepingComputer has reached out to EPM to learn more about the attack and how much data was stolen, but a response\r\nwas not immediately available.\r\nThis is not the first time a ransomware attack has targeted a Colombian energy company.\r\nIn 2020, the Enel Group suffered a ransomware attack twice in the same year.\r\nColombia has also seen an increase in attacks over the last months, with the country's healthcare system disrupted last month\r\nby a RansomHouse attack on Keralty, a multinational healthcare organization.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/colombian-energy-supplier-epm-hit-by-blackcat-ransomware-attack/\r\nhttps://www.bleepingcomputer.com/news/security/colombian-energy-supplier-epm-hit-by-blackcat-ransomware-attack/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/colombian-energy-supplier-epm-hit-by-blackcat-ransomware-attack/" ], "report_names": [ "colombian-energy-supplier-epm-hit-by-blackcat-ransomware-attack" ], "threat_actors": [ { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434294, "ts_updated_at": 1775826688, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f99a174009799491b8f91b9a48e2f9e399dadfc5.pdf", "text": "https://archive.orkl.eu/f99a174009799491b8f91b9a48e2f9e399dadfc5.txt", "img": "https://archive.orkl.eu/f99a174009799491b8f91b9a48e2f9e399dadfc5.jpg" } }