Enel, Italy’s largest energy company, has been infected by ransomware and is facing a record ransom demand. In Finland, hackers have stolen patient data from a psychiatric clinic and are demanding a ransom to keep them under lock and key. IT security is inevitable in times of the ransomware pandemic. As if Italy didn’t have enough problems right now. The country is closing the ski resorts due to the corona, the economy is idle, and the protests against the corona measures are turning up in the big cities. Now probably the largest company in the country is also infected with ransomware. The energy supplier Enel is one of the largest energy companies in Europe and operates in 40 countries, from South Africa to Canada and from Argentina to Russia. On Forbes’ list of the 2000 largest companies, it is the only Italian company in the top 100 (97th place). Enel was infected with the ransomware Netlocker, one of the emerging major incarnations of ransomware. According to a report by McAffee analysts, Netlocker was first spotted in August 2019; its operators or owners demonstrate a high degree of professionalism and market it through a “Ransomware-as-a-Service (RaasS)” model. “Our research suggests that malware operators are attracting a wide range of tech-savvy and enterprising criminal allies.” Between March and August 2020, analysts found ransom payments of over 2,795 Bitcoin (about $ 31 million), which they conclude that the ransomware is -Operators are in a good position to enforce their demands. Netlocker perfectly confirms the professionalization of cybercrime against which Europol warns so urgently. Netlocker allegedly stole five terabytes of data from Enel and then encrypted it. In order not to sell this data on the black market and to get the key out, the operators charge 1,234 Bitcoin, or around 14 million euros. This would be the highest amount I know of any ransomware ever charging. Statements from Enel are not yet available. Therefore, it is not known how the company is handling the incident and whether the police were involved.
Sensitive patient data stolen from the server
A less large but probably more tragic ransomware episode took place in Finland. The private psychiatric clinic Vastaamo, which has branches across Finland, was attacked by ransomware that stole patient records from up to 40,000 patients.
As usual, the hacker posted excerpts of the data on a Tor website to prove that he was not threatening with empty hands. Then he probably asked the company € 400,000 in Bitcoin in order not to publish the data, which, according to a blockchain analysis, it has already paid. The hacker, on the other hand, claimed that the clinic had not paid, which is why he wrote to the patients individually to ask for 200 euros per person in Bitcoin. Specific details of what type of ransomware it is are not known. The BBC did manage to speak to one of the victims, however, who said the hacker had shown him notes that he had entered in a book and that he did not know would even be uploaded to a server. For all the unscrupulousness of the hacker to use the most vulnerable and threaten them with what hits them deeply – the clinic has to face the realization that many problems with data only arise because this data exists. There is no need to upload private patient notes to a server. If they have to be digital – if! – then you could simply import them onto a “cold” computer. The security of the clinic’s server also apparently leaves a lot to be desired. According to a Finnish specialist in e-commerce, Vastaamo lost data after a hack in 2018. The system is classified as “B-Class” according to government guidelines, which means that it does not require any safety audits. Therefore, no best practices had been applied while the server was publicly connected to the network without a VPN in between. In addition, the server ran on the non-updated open source software Apache and PHP. This mix should be an invitation for hackers who scour the Internet with scripts to find vulnerabilities. Of course, a clinic is not an IT company and does not invest its resources in computer security, but in psychiatric skills. That is actually correct – but in times of a ransomware pandemic it can mean that in the end it has fewer resources available for its own work.