Lynx ransomware behind Electrica energy supplier cyberattack

​The Romanian National Cybersecurity Directorate (DNSC) says the Lynx ransomware gang breached Electrica Group, one of the largest electricity suppliers in the country.

Electrica became an independent company in 2000 after it was established as a division of the National Electricity Company (CONEL) in 1998. Since 2014, Electrica has been listed on the London and Bucharest stock exchanges.

The company now provides electricity supply, maintenance, and other energy services to over 3.8 million users across Muntenia and Transylvania.

Electrica warned investors on Monday that it was investigating an "ongoing" ransomware attack in collaboration with national cybersecurity authorities. Romania's Energy Minister Sebastian Burduja added that the company's SCADA and other critical systems were isolated and unaffected by the attack.

Today, DNSC, one of the authorities involved in the investigation, revealed that the Lynx ransomware operation was responsible for the incident. It also provided a YARA script to help other security teams detect signs of compromise on their networks.

"Based on available data, critical power supply systems have not been affected and are operational, and the investigation is currently ongoing. In the event of a ransomware infection, the Directorate strongly recommends that no one pay the ransom requested by the attackers," DNSC said.

"DNSC recommends that all entities, especially those in the field of energy, whether or not they were affected by the ransomware attack, supported by the cybercrime group LYNX Ransomware, scan their own IT&C infrastructure for malicious binary (encryptor) using the YARA scan script.

The Lynx ransomware operation

Lynx ransomware has been active since at least July 2024, adding over 78 victims to its clear web data leak site since August.

According to the Center for Internet Security (CIS), the list of claimed victims includes multiple U.S. facilities and over 20 entities from the energy, oil, and gas sectors, added between July 2024 and November 2024.

Lynx operators have been using an encryptor likely based on the source code of INC Ransom malware allegedly put up for sale on the Exploit and XSS hacking forums for $300,000 in May. ​However, this could also be a rebranding effort to help INC RANSOM operate under less law enforcement scrutiny.

BleepingComputer confirmed in August that Lynx ransomware and recent INC encryptors were mostly the same based on a string analysis.

Since it emerged as a ransomware-as-a-service (RaaS) operation in July 2023, INC Ransom has also breached many education, healthcare, government, and industrial entities, including Yamaha Motor Philippines, Scotland's National Health Service (NHS), and the U.S. division of Xerox Business Solutions (XBS).

The Lynx ransomware gang has not officially claimed the attack or added Electrica as a victim on its data leak site, suggesting that the attackers haven't yet made contact or are already pressuring the company into meeting their ransom demands.

The Electrica ransomware attack comes after Romania's Constitutional Court (CCR) annulled this year's presidential elections based on extensive information that a massive Russia-linked TikTok influence campaign affected the results of the first round of elections.

Romania's Intelligence Service (SRI) also declassified a report revealing that over 85,000 cyberattacks targeted the country's election infrastructure between November 19 and November 25, the night after the first presidential election round.

In February, a Backmydata ransomware attack forced over 100 hospitals across Romania to take their systems offline after disrupting their healthcare management system.