European utility giant EDP has been hit by a cyberattack and is facing a €10m ($11m) ransomware demand, according to multiple reports in the Portuguese media.

Portugal-based EDP – majority-owner of EDPR, one of the world’s largest wind power operators – was the subject of the cybersecurity breach on Monday, according to local reports and coverage in specialist IT publications.

The utility is said to have fallen victim to a ‘Ragnar Locker’ ransomware attack on Monday this week, with criminals gaining access to systems and demanding payment within 20 days to prevent release of information.

EDP has not so far responded to requests by Recharge for comment. Portuguese news outlet Observador quotes a statement from the company in which it confirms its corporate network has been breached, but says energy supply remains unaffected.

EDPR said in a statement sent to Recharge that its operations and energy supply are operating normally.

Recharge reported late last year how utilities were seen as increasingly vulnerable to cyberattacks, with a study of industry professionals by Siemens finding growing rates of incidents.

EDP, Portugal’s largest utility, owns most of EDPR, which operates more than 11GW of renewables capacity globally and is one of the biggest players in US onshore wind.

EDPR is also a growing force in offshore wind, and recently formed a joint venture with France’s Engie in a bid to become one of the world’s leaders in wind at sea.

Commenting on this, Sam Curry, chief security officer at Cybereason, said: “While details were scant ... [that] any successful breach, such as the one being reported against EDP, no matter the size and scope, have potentially catastrophic consequences if not contained.

“In this latest brazen ransomware attack, if the hackers were able to steal sensitive and confidential information on partners, billing procedures, contracts and other proprietary information, EDPs focus needs to be on doing everything humanly possible to secure that data, said Curry.

“Having backups of their files and resuming regular business operations is low on their priority list during the first 24-48 hours of incident response measures.”

Note: Updates with comment from EDPR and Cybereason.