Author : Ionut Ilascu
European energy company giant Enel Group suffered a ransomware attack a few days ago that impacted its internal network.
Detected on June 7, the incident is the work of EKANS (SNAKE) ransomware operators, the group that also targeted Honda earlier this week.
Enel quickly recovered
Enel Group confirmed for BleepingComputer that its internal IT network was disrupted on Sunday evening following a ransomware attack caught by their antivirus before the malware could spread.
Dealing with the incident required isolating the corporate network for a limited time, “to carry out all interventions aimed at eliminating any residual risk.” All connectivity was safely restored on early Monday morning, the company says.
“The Enel Group informs that on Sunday evening there was a disruption on its internal IT network, following the detection, by the antivirus system, of a ransomware. As a precaution, the Company temporarily isolated its corporate network in order to carry out all interventions aimed at eliminating any residual risk. The connections were restored safely on Monday early morning.Enel informs that no critical issues have occurred concerning the remote control systems of its distribution assets and power plants, and that customer data have not been exposed to third parties. Temporary disruptions to customer care activities could have occurred for a limited time caused by the temporary blockage of the internal IT network.” – Enel spokesperson
Snake slithered in
When SNAKE is deployed in a targeted attack, it will perform checks against internal domains and IP addresses to confirm if it is running in the correct network.
If those checks fail, the ransomware will not perform any encryption.
Enel did not comment on the name of the ransomware used in the attack but security researcher Milkream found an SNAKE/EKANS sample submitted to VirusTotal on June 7 that shows that it checks for the domain “enelint.global”.
This domain is currently owned by Enel and redirected to the company’s international page when it was live.
The same domain connected to Enel addresses in the U.S. and Italy, the latter pointing to sites localized for countries where the company does business.
Analysis from Milkream shows the string “enelint.global” in the malware sample as well as a check for an internal IP address.
There are no details about how the attackers managed to gain access to the network but a common point of entry are exposed remote desktop connections (RDP), typically used for remote support/maintenance.
This is plausible for both Enel and Honda as security researcher Germán Fernández from CronUp found that the two companies had RDP connections exposed to the public internet.
Even more, the exposed connections were for machines on “enelint.global” and “mds.honda.com,” the same domains checked by EKANS ransomware samples uploaded to VirusTotal:
According to statements from both companies, the attack from Snake ransomware was unsuccessful.
However, it is unknown when the attackers entered the network and if they had time to steal any data.
The U.S. Branch of Honda told BleepingComputer that they did not find any evidence that personally identifiable information was impacted.
A representative said on Tuesday that production resumed in most plants and the process was underway for auto and engine plants in Ohio.
When BleepingComputer first reported about the Snake Ransomware, we noticed that it was terminating processes associated with SCADA and industrial control systems (ICS).
This was later confirmed by analysis from industrial cybersecurity company Dragos, who confirmed that Snake ransomware was the first in its category to target industrial control system (ICS) operations.