The Romanian Nationwide Cybersecurity Directorate (DNSC) says the Lynx ransomware gang breached Electrica Group, one of many largest electrical energy suppliers within the nation.
Electrica turned an unbiased firm in 2000 after it was established as a division of the Nationwide Electrical energy Firm (CONEL) in 1998. Since 2014, Electrica has been listed on the London and Bucharest inventory exchanges.
The corporate now supplies electrical energy provide, upkeep, and different vitality providers to over 3.8 million customers throughout Muntenia and Transylvania.
Electrica warned buyers on Monday that it was investigating an “ongoing” ransomware assault in collaboration with nationwide cybersecurity authorities. Romania’s Power Minister Sebastian Burduja added that the corporate’s SCADA and different essential methods had been remoted and unaffected by the assault.
At this time, DNSC, one of many authorities concerned within the investigation, revealed that the Lynx ransomware operation was accountable for the incident. It additionally supplied a YARA script to assist different safety groups detect indicators of compromise on their networks.
“Based on available data, critical power supply systems have not been affected and are operational, and the investigation is currently ongoing. In the event of a ransomware infection, the Directorate strongly recommends that no one pay the ransom requested by the attackers,” DNSC mentioned.
“DNSC recommends that each one entities, particularly these within the area of vitality, whether or not or not they had been affected by the ransomware assault, supported by the cybercrime group LYNX Ransomware, scan their very own IT&C infrastructure for malicious binary (encryptor) utilizing the YARA scan script.
The Lynx ransomware operation
Lynx ransomware has been lively since not less than July 2024, including over 78 victims to its clear internet information leak web site since August.
In line with the Middle for Web Safety (CIS), the record of claimed victims contains a number of U.S. amenities and over 20 entities from the vitality, oil, and gasoline sectors, added between July 2024 and November 2024.
Lynx operators have been utilizing an encryptor probably based mostly on the supply code of INC Ransom malware allegedly put up on the market on the Exploit and XSS hacking boards for $300,000 in Might. Nonetheless, this may be a rebranding effort to assist INC RANSOM function below much less legislation enforcement scrutiny.
BleepingComputer confirmed in August that Lynx ransomware and up to date INC encryptors had been largely the identical based mostly on a string evaluation.
Because it emerged as a ransomware-as-a-service (RaaS) operation in July 2023, INC Ransom has additionally breached many schooling, healthcare, authorities, and industrial entities, together with Yamaha Motor Philippines, Scotland’s Nationwide Well being Service (NHS), and the U.S. division of Xerox Enterprise Options (XBS).
The Lynx ransomware gang has not formally claimed the assault or added Electrica as a sufferer on its information leak web site, suggesting that the attackers have not but made contact or are already pressuring the corporate into assembly their ransom calls for.
The Electrica ransomware assault comes after Romania’s Constitutional Courtroom (CCR) annulled this yr’s presidential elections based mostly on intensive info {that a} large Russia-linked TikTok affect marketing campaign affected the outcomes of the primary spherical of elections.
Romania’s Intelligence Service (SRI) additionally declassified a report revealing that over 85,000 cyberattacks focused the nation’s election infrastructure between November 19 and November 25, the evening after the primary presidential election spherical.
In February, a Backmydata ransomware assault compelled over 100 hospitals throughout Romania to take their methods offline after disrupting their healthcare administration system.
