Ragnar Locker Likely Behind Attack on Greek Gas OperatorThreat Group Says DESFA Did Not Pay Ransom, Releases Confidential Data
Ragnar Locker ransomware group released 361 gigabytes of what appears to be confidential data belonging to Greek national natural gas pipeline operator DESFA. The crime group says the alleged victim refused to negotiate and so it made good on its data dump threat. Among the leaked documents are engineering designs and budget and revenue documents.
"DESFA company didn't pay any attention on the possible risk of data leakage," the ransomware gang wrote on its leak site on Tuesday. "So, as we promised today we are publishing the full Data which were downloaded from DESFA network.
The pipeline company confirmed last week a cyberattack on its systems that could lead to a data leak. The company did not respond to Information Security Media Group's request for comment on the Ragnar Locker's claims.
ISMG's review of the data shows several files that appear to be future budget and past revenue spreadsheets; copies of non-disclosure agreements with customers and partners; engineering designs and their backups in a directory format. The authenticity of the data could not be immediately verified.
Timeline of Events
Ragnar Locker added DESFA to its victim list on its site leak on Friday. The group posted a data file-tree of 4.8 megabytes as a proof of its claims, along with screenshots of the documents allegedly belonging to DESFA.
On Saturday, DESFA said some of its systems were affected by a cyberattack and that an undisclosed number of directories and files may have been leaked. It did not specify the identity of the attacker, but said it "remains firm in its position not to negotiate with cybercriminals."
The company said it was investigating the root cause of the attack with technical experts, alerted relevant authorities and deactivated most of its IT services as a precautionary measure.
The shutdown does not impact the national natural gas system, it said. "The management of the NNGS continues to operate smoothly and DESFA continues to supply natural gas to all entry and exit points of the country safely and adequately," it says.
Donut Leaks Link
The same set of data has also appeared on a separate leak site, called Donut Leaks, Bleeping Computer reports.
Donut Leaks is linked to an extortion group that reportedly attacked U.K. architectural firm Sheppard Robson and multinational construction company Sando, and two other undisclosed companies. The latter's attack was reportedly claimed by the Hive ransomware group.
The link likely means that the "threat actor running Donut Leaks is a pen tester or an affiliate for both Hive, Ragnar Locker and possibly other ransomware operations," the Bleeping Computer report says.