Encevo is still working to restore systems and data made inaccessible last month by a ransomware attack.
The parent company of a Luxembourg-based pipeline operator and electricity supplier said it was targeted by “specifically crafted sophisticated malware” that evaded antivirus detection. The delivery of energy and gas was, and remains, unimpeded, the company said Monday in a status update.
Encevo’s quick and thus far effective response to a ransomware attack provides other organizations with a strategic blueprint to follow, assuming defenses hold up and contain the damage done.
This latest critical infrastructure attack signifies the extent to which pipeline operators are on the front line of a new frontier in the battle against cybercriminals, Katell Thielemann, VP analyst at Gartner, said via email.
The industry is full of unprotected cyber-physical systems and securing that infrastructure quickly is not easy, she said.
ALPHV, the group that claimed responsibility for the Encevo attack, is a rebrand of the DarkSide ransomware group that attacked Colonial Pipeline in May 2021. That attack, which temporarily shut down the largest refined products pipeline in the U.S., embodied the risk to critical infrastructure.
“The energy vertical finds itself increasingly in the crosshairs of hackers because they are part of a nation’s critical infrastructure, which makes them extremely high-profile targets,” said Mauricio Sanchez, research director at Dell’Oro Group.
The Colonial Pipeline incident was “the proverbial canary in the coal mine” and flipped decades-old perceptions about who presents the biggest threat to critical infrastructure, he said via email.
“Originally the thinking was that it was going to be insiders or nation states that took out critical infrastructure, but we were wrong,” Sanchez said. “The barrier to entry is now low enough that we have throngs of digital pirates roaming our global networks.”
Encevo thwarts further damage
While Encevo acknowledges data was exfiltrated during the attack, rendering customer portals non operational, its ability to thwart further damage and maintain service put it in a better position for recovery and response.
Encevo, the largest energy firm in Luxembourg, said it did not comply with the cybercriminals’ ransom demand. The company’s response might have been different if its core systems were more seriously impacted.
Indeed, nearly four in five organizations impacted by ransomware attacks have paid the ransom to regain access to corporate data, Kaspersky concluded in a May report.
ALPHV, in a leak site post, claimed it exfiltrated more than 150 gigabytes of sensitive data during the attack. Encevo on Monday confirmed the cybercriminals followed through on a threat to publish the data, but declined to provide further detail about the contents.
“We are confident that our service will be back to normal in the coming days,” Encevo said in a statement.
If Encevo’s operations were shut down or it had uncovered a broader threat during its investigation, which is ongoing, it might have been more compelled to pay ALPHV’s ransom demand.
The company said it doesn’t have all the information necessary to inform each person potentially impacted by the attack, but committed to do so if or when that occurs.
Encevo said it reacted quickly to the attack and bolstered systems monitoring, restored its servers from safe backups, increased the security of remote-access platforms and changed all passwords.
