article featured image


Empresas Públicas de Medellín (EPM), a Colombian energy provider, suffered from a BlackCat/ALPHV ransomware assault on Monday, which negatively impacted business operations and shut down internet services.

The company instructed its roughly 4,000 employees to work from home on Tuesday due to a downed IT infrastructure and unavailable company websites.

The company disclosed the incident to a Colombian media outlet, stating that it responded to a cybersecurity incident and provided alternative payment methods for its customers. The Prosecutor’s Office later confirmed that behind the attack was ransomware, which caused devices to be encrypted and data to be stolen.

Threat Group BlackCat Ransomware Behind the Attack

As per BleepingComputer, the attacks were perpetrated by the BlackCat ransomware operation, also known as ALPHV, which claimed responsibility and said it had stolen corporate data from the Colombian company.

The encryptor sample and ransom notes from the EPM attack have also been examined by BleepingComputer, who has confirmed that they are from the BlackCat ransomware operation.

EPM Ransom Note from BlackCat (Source: BleepingComputer)

The threat actors stole a quite a bit of data from EPM during the attack. Cybersecurity researcher Germán Fernández discovered a sample of BlackCat’s “ExMatter” data-theft tool uploaded to a malware analysis site from Colombia.

BlackCat ransomware attacks use ExMatter as a tool to steal data from business networks before devices are encrypted. The ransomware gang then employs this information in its double-extortion schemes. When the program is used, it will take information from networked devices and store it on servers under the control of the attacker in folders with the same name as the Windows PC that the information was taken from.

In the variant from Colombia, the data was uploaded into various folders starting with “EPM-”. It is currently unclear how much data was stolen.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Cristian Neagu


linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

Leave a Reply

Your email address will not be published. Required fields are marked *