BlackCat ransomware gang hits Luxembourg energy supplier Creos

Gang is threatening to publish 150 GB of stolen data

The BlackCat ransomware gang has claimed responsibility for hacking Creos, a gas and electricity supplier in Luxembourg.

Parent company Encevo Group published a notice on July 25th saying that various entities of the Group had been attacked on July 22nd and that "a number of data were exfiltrated from computer systems or made inaccessible by hackers".

Customer supplies of gas and electricity should not be affected, the company said, and the matter has been reported to the Luxembourg police. However, it admitted that personal data may have been stolen.

"This investigation is still ongoing and we'll actively contact data subjects that are concerned of a data breach," Encevo said.

The company's customer portal was still showing a 403 error today.

The attack has been claimed by the BlackCat ransomware gang, which said it had exfiltrated 150Gb of data from Encevo including company contracts, agreements, passports, bills, and emails, and would be publishing it shortly.

First seen in November 2021, BlackCat, also known as AlphV and Noberus, is thought by the FBI to be linked to the DarkSide (aka BlackMatter) gang, "indicating they have extensive networks and experience with ransomware operations".

DarkSide is the group responsible for the infamous Colonial Pipeline hack in the US last year. The group is thought to be mainly based in Russia.

Typically, the BlackCat group uses previously compromised user credentials to gain access to a victim's system, after which malware compromises Active Directory user and administrator accounts. It then uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy the ransomware.

According to ransomware remediation company Coveware, BlackCat was the most active ransomware organisation in the second quarter of 2022, with 16.9% of the publicised attacks, followed by LockBit (13.1%), Hive (6.3%), Quantum (5.6%) and Conti V2 (5.6%).