Oil and gas hackers chase bigger pandemic paydays

By Christian Vasquez | 05/12/2020 07:45 AM EDT

Hackers have leaked hundreds of computer files allegedly stolen from a Houston-based oil and natural gas producer — the latest in a series of ransomware attacks that put a new twist on an old extortion playbook.

A ransomware attack on an oil and natural gas producer is the latest example in a growing trend where hackers add extortion to the playbook.

A ransomware attack on an oil and natural gas producer is the latest example in a growing trend where hackers add extortion to the playbook. Claudine Hellmuth/E&E News(illustration); Freepik(computer and coronavirus);rawpixel.com (lock)

Hackers have leaked hundreds of computer files allegedly stolen from a Houston-based oil and natural gas producer — the latest in a series of ransomware attacks that put a new twist on an old extortion playbook.

The hackers behind the "Nefilim" malware say they have stolen over 800 gigabytes of personnel and financial data from W&T Offshore Inc., according to the attackers’ website and cybersecurity firm Cyble Inc. They’ve published a fraction of those documents on the dark web in recent weeks and are threatening to release more.

E&E News could not independently confirm the authenticity of the documents, and W&T Offshore did not respond to requests for comment. But the contours of the case fit a trend that is becoming more common as the energy sector grapples with a remote workforce and a drastic increase in cyberthreats due to the coronavirus pandemic, cybersecurity experts say.


Not content with the usual method of encrypting files and demanding payment to unlock them, cybercriminals have threatened to release confidential information if their ransomware victims refuse to pay.

"We’ve seen the ransom since this started happening go up substantially because [hackers] have more leverage. They can ask for more money, and they get paid more money," said Chip Henderson, a senior security analyst at cybersecurity firm Pondurance.

At a time when oil and gas companies are stretched thin — contending with historically low crude prices and volatile energy markets hampered by the coronavirus — hackers have used this new ransomware technique to ensure a bigger and more reliable payday.

Financially motivated hacking groups have ramped up their attacks by using malicious "spearphishing" emails and attacking common programs used by a remote workforce, according to multiple cybersecurity companies and government warnings.

The W&T Offshore leak mostly consists of financial data and does not appear to include documents relating to industrial control systems or operational technology that could be used to affect the flow of oil or other critical processes, said Nathan Brubaker, senior manager at cybersecurity firm FireEye Inc.

However, the hackers said the files posted so far are only an "appetizer" — hinting that there could be more leaks coming.

Brubaker warned that documents essential for continued production are often stored on corporate networks.

Global reach

Hackers who focus on ransomware attacks are largely motivated by financial gain, cybersecurity experts say — and that makes energy companies, including oil and gas operators and power utilities, prime targets because one of their top priorities is to continue running.

The FBI publicly advises companies not to pay the ransom on the grounds that it only exacerbates the issue by funding future attacks.

The Nefilim ransomware hackers have plagued other energy companies this year. Last month, they targeted Aban Offshore Ltd., India’s largest offshore drilling services provider for oil companies, as well as the Brazilian conglomerate Cosan Ltd., which is an energy and sugar producer. The attackers behind Nefilim do not post the dollar amounts they request.

They’re hardly the first to threaten to go public with stolen data. Last week, hackers using the "Ragnar Locker" ransomware said they had begun to leak files from a recent attack on the Portuguese state petroleum company Energias de Portugal SA (EDP). The hackers say they have taken more than 10 terabytes of files and have asked for more than $10 million in the cryptocurrency bitcoin (Energywire, April 24).

Matt Duncan, senior manager of resilience and policy coordination at the North American Electric Reliability Corp.’s Electricity Information Sharing and Analysis Center, said that the electricity industry is keeping an eye on the EDP case "to see how adversaries are attempting to penetrate foreign electricity networks."

The trend of threatening to leak privileged information if victims don’t pay a ransom is still new. The "Maze" ransomware that helped start the recent trend began spreading late last year, and since then, a slew of smaller hacking groups have used the same method.

Bitdefender analyst Liviu Arsene said hackers switched tactics after discovering that many companies backed up critical data, meaning the typical ransomware attack was "no longer potentially as profitable as it used to be."

"That’s when they started going with Maze. They added the extortion scheme," Arsene said.

Arsene said he expects more of these "ransomware 2.0" attacks this year.

A costly crime

Besides the ransom demand, the estimated cost of downtime is also significant, said Brett Callow, threat analyst at cybersecurity firm Emsisoft.

A recent Emsisoft report warned of a "massive economic impact" when accounting for both ransom demands and downtime costs.

Meanwhile, hackers can rely on hard-to-trace digital currency and take other precautions to stay anonymous.

"There’s a near-zero chance of [the hackers] being caught," said Callow.

A recent ransomware attack could cost the information technology giant Cognizant Technology Solutions Corp. $50 million to $70 million, the company’s chief financial officer, Karen McLoughlin, said on an earnings call last week, before accounting for potential legal and consulting expenses.

Cognizant, which provides services to the energy sector and other industries, was hit by Maze ransomware in April.

The average ransom demand from the "Ryuk" ransomware is around $1.3 million, according to a recent report from cybersecurity firm Coveware Inc. Ryuk harmed five oil and gas facilities earlier this year (Energywire, Jan. 27).

Even so, don’t expect the public extortion trend to become as common as a typical ransomware attack that only encrypts files, said Jeremy Kennelly, manager of analysis at Mandiant Threat Intelligence, part of FireEye. While it does give the hackers extra leverage when demanding a ransom, such extortion is also a more involved process that requires attackers to find out which files are most damaging to their target.

Ransomware techniques are continuing to evolve, however, and hackers are constantly looking for new ways to gain the upper hand on their victims, experts say. Earlier this year, a new ransomware variant emerged called "Ekans" that targeted sensitive control system processes. Cybersecurity firms have also found that hackers using ransomware are spending more time searching for vital parts of networks to shut down (Energywire, Feb. 25).

A ransomware attack on an unnamed renewable energy facility near Sterling County, Texas, in February is just one of the latest examples of the growing threat to the energy sector in the United States, according to a Department of Energy electric disturbance report.

The attack didn’t cause any impact on the grid, a DOE official said. The official said that two malicious files were executed within a server at the site and that the site was run locally until the infected equipment was replaced.

"At no time did the incident impact, or threaten, the stability of the bulk power system," the DOE official said.