Empresas Publicas de Medellin, a Colombian energy company, was hit by a ransomware called BlackCat/ALPHV on Monday. This attack disrupted the company’s operations as well as shut down its online services.
EPM, which provides services to 123 cities, is Colombia’s biggest public water and energy provider. Colombia’s Municipality of Medellin owns the company, which generated more than $25 billion in revenues in 2022.
The company instructed approximately 4,000 employees Tuesday to work remotely with the IT infrastructure offline and no company websites.
was informed by EPM that they had responded to a cybersecurity attack and offered alternative payment methods.
was later informed by the Prosecutor that ransomware caused EPM to become encrypted, allowing data theft.
The ransomware attack behind it was however not revealed.
BlackCat ransomware was behind the attack
BleepingComputer learned from the FBI that BlackCat, also known as ALPHV ransomware, claimed to be behind the attacks and had stolen data.
BleepingComputer also saw the ransom note and encryptor samples from the EPM attack, and confirmed they were from the BlackCat ransomware operation.
Although the ransom note claiming that threat actors took a variety of data is true, it is important to remember that this text is exactly what is used in every BlackCat ransom note and not just for EPM.
Further evidence suggests that hackers may have stolen a lot of EPM data during the attack.
Chilean security researcher a sample of BlackCat’s ‘ExMatter’ data-theft tool. It was uploaded from Colombia to an malware analysis website.
ExMatter, a tool that is used to steal corporate data before encryption devices can be encrypted in BlackCat ransomware attack. These data are then used in the double-extortion plots of ransomware gang.
The tool will run on all devices connected to the network, and it will then steal the data and place it on an attacker-controlled server in folders named after its Windows name.
Fernandez discovered that ExMatter had uploaded data to an unsecure remote server, which allowed anyone to view the files.
The ExMatter Colombia variant showed data that was saved in various folders beginning with “EPM-“, as you can see below. Fernandez stated to BleepingComputer, that the computer names correspond with known formats for computer naming used by Empresas Publicas de Medellin.
Although it’s not clear how much data was stolen from the site, Fernandez said to BleepingComputer there were just over 40 devices on the site.
BleepingComputer reached out to EPM in an effort to find more information about the attack, and to determine how much data was stolen. However, a response wasn’t immediately possible.
It isn’t the first ransomware attack on a Colombian company that has hit this energy sector.
The Enel Group was hit twice by ransomware in 2020.
The attacks in Colombia have increased over recent months. Last month, the country was hit hard by an attack on Keralty , which is a multi-national healthcare provider.