Security researchers at Cybereason have released a Threat Analysis Report to highlight the details of an attack that occurred last month against Greece’s largest natural gas supplier, DESFA. The organization stated that it was hit by a cyberattack that impacted some of its systems. Threat actor group Ragnar Locker claimed responsibility for the ransomware attack and claimed to have published roughly 30 GB of data it purported to have been stolen from DESFA. The Cybereason report states that Ragnar Locker has been in use since at least 2019 and generally targets English-speaking organization. The group has been tracked by the FBI since breaching more than fifty organizations, all located in a range of critical infrastructure sectors.

The latest attack against DESFA fits Ragnar Locker’s historical patterns of targeting organizations in the critical infrastructure sector. Cybereason suggests that the first thing the threat actor performs after successfully infecting a system is to check the locale of the target. According to Cybereason, if it detects a match with certain countries such as Russia, Ukraine, and Belarus, it does not execute the malware and the process is terminated. Ragnar Locker typically encrypts files and creates a ransom note to display to the victim.

Read More: Ragnar Locker Ransomware Targets Energy Sector, Cybereason Suggests