Research Hub > Ransomware Attacks in the Energy Industry
8 min

Ransomware Attacks in the Energy Industry

Ransomware attacks can happen to any organization, but they are becoming more frequent in the energy and utilities sector.

CDW Expert CDW Expert
What's Inside

Ransomware is a type of malware used by hackers to encrypt valuable data on a device, making the files and systems that use the data unusable by the individual or organization and holding it for ransom until they pay to decrypt it. These malicious actors threaten to sell or leak the data if the ransom goes unpaid.

Ransomware attacks can happen to any organization, but they are becoming more frequent in the energy and utilities sector. While some of these attacks threaten to extort data from municipalities or companies, they can also threaten to disrupt the operations of vital services on the infrastructure grid. Read on to learn more about the current state of ransomware attacks in the energy industry and how to defend against them.

The Current State of Ransomware Attacks

Ransomware attacks are particularly prevalent among critical infrastructure organizations, like the energy industry, according to Ransomware attacks have increased in complexity and destructiveness over time and can prevent organizations from delivering mission-critical energy services.

According to the S&P Global Commodity Insights Oil Security Sentinel™, cyberattacks on energy infrastructure have increased over the last 5 years, with 2021 being a record year for physical security incidents targeting energy and oil. These attacks aren’t limited to geography or size of a company.

As many as 70% of ransomware attacks begin as phishing and social engineering conducted to capture user credentials, according to CDW InfoSec Manager Gabe Whalen. If organizations don’t have ransomware detection methods, attackers could be in the environment for days and even several months and go undetected as they decide what they want to do with the victim’s data.

Major Energy Industry Ransomware Attacks

Colonial Pipeline Company – When most think of major ransomware attacks on critical infrastructure today, they think of the Colonial Pipeline attack in May 2021, the largest cyberattack on oil infrastructure in the history of the US. Colonial Pipeline is one of the longest oil pipelines in the US, extending from Texas to New Jersey, supplying about 45% of the oil consumed on the East Coast or about 100 million gallons a day of fuel and heating oil.

Hacker group Darkside gained access to the Colonial Pipeline Co.’s network via an employee’s stolen VPN password that was compromised in a previous data breach and reused to access Colonial’s network. The hackers obtained 100 GB of data within two hours and threatened to release it.

Colonial paid a 75-bitcoin ransom ($4.4 million dollars at the time of the attack) and normal operations restarted five days later, although the encryption tool supplied by the hackers was slower than Colonial’s business continuity planning tools. The US Department of Justice was able to recover $2.4 million from the hackers by tracing the bitcoin payment trail.

This incident caused widespread fuel shortages, panic-buying at the pumps, and a spike in gas prices, causing East Coast consumers to hoard gas and some airlines having to change their flight schedules.

Volue ASA - Just a few days before the Colonial Pipeline attack in May 2021, another ransomware attack struck a Norwegian energy technology and infrastructure supplier, Volue Technology. The hackers employed the Ryuk ransomware, which typically targets companies with annual revenue between $500 million and $1 billion dollars.  This attack disrupted Volue’s front-end customer platforms by encrypting data and rendering it unreadable, impacting 2,000 Volue customers in 44 countries.

This ransomware attack forced Volue and customers to shut down applications providing infrastructure to water facilities serving about 85% of Norway in order to prevent further intrusion, initiate backup solutions and conduct security assessments.

After the assessment, it was concluded the data had not been exfiltrated. Volue did not pay the ransom since the fee was behind a link they did not click. They maintained a high level of transparency and posted every day on their website for about a week until they were sure the cyberattack was remediated.

Companhia Paranaense de Energia (Copel) and Centrais Electricas Brasileiras (Electrobas) - In February 2021, two Brazilian electric utility companies, Electrobas and Copel, were impacted by ransomware attacks around the same time.

Electrobras, the large power utility company in Latin America, had to suspend some systems temporarily to protect their network while they mitigated the attack along with their managed security services team. The perpetrators of the ransomware attack remain unknown. Fortunately for them, the ransomware attack impacted their administrative network servers and did not disrupt the supply of electricity from their nuclear power plants, which was on an isolated network.

The ransomware attack on Copel, the largest company in the Brazilian state of Paraná, was perpetrated by the same group as the Colonial Pipeline cyberattack, Darkside. They stole over 1000 GB of data including plain-text passwords, infrastructure access info, network maps, finances, backup schemes and more, plus the personal information of management and customers. Darkside hosted this stolen data on a distributed storage system for six months.

Pemex- A Mexican state-owned oil and gas company was hit by the Ryuk ransomware in November 2019 according to a Pemex official, the same ransomware that impacted Volue ASA. However, Reuters reported that the ransomware was DoppelPaymer. DoppelPaymer uses compromised Domain Admin credentials to permeate through networks.

Hackers demanded about $5 million USD in bitcoin to decrypt Pemex’s files as the attack crippled their payment system and froze certain administrative tasks. Oil and gas production/exploration remained operational and Pemex officials reported that the attack affected under 5% of its systems. Pemex did not end up paying the ransom, but according to Reuters the attack cost $71 million in cleanup costs, with a small fraction of that being covered by insurance.

Oiltanking and Mabanaft & Amsterdam-Rotterdam-Antwerp (ARA)- Two major European oil refineries, Oiltanking/Mabanaft in Germany and ARA in the Netherlands and Belgium, in were struck with ransomware in January and February 2022, disrupting a total of 17 refinery terminals in these nations. The ransomware prevented oil tankers from being loaded and unloaded since the process is mostly automated. Tankers and barges had to be diverted to other ports, stifling the flow of heating, diesel, jet fuel, and gasoline in an already stressed supply chain for several days throughout northern Europe.

Palo Alto Networks threat intelligence division known as Unit 42 identified the culprit in the attacks as BlackCat, a ransomware-as-a-service organization who are known for targeting a wide range of industries including pharmaceuticals, construction, retail, insurance, and manufacturing.

Port of Houston- Not every ransomware attack is successful for the prepared. The Port of Houston, a vital piece of US Gulf Coast supply chain infrastructure, defended against a cyberattack in August of 2021. The port handles 247 million tons of cargo per year.

Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly attributed the attack to a “nation-state actor,” not specifying which country she believed to be responsible. The hackers attempted to capitalize on a vulnerability in the Port of Houston’s password management software to gain control over network access. No systems were compromised in the attack.

Why is Ransomware a Popular Cyberattack Method?

Katell Thielemann, VP Analyst at Gartner, gives the following reason for why ransomware is a popular attack vector, particularly energy infrastructure:

“Critical infrastructure operators including energy providers and oil-and-gas companies are attractive targets for ransomware groups because cybercriminals know they need their equipment to continue running to provide services. If you can disrupt operations, you immediately have bottom-line impact.”

Mr. Whalen expands that many organizations don’t attend to cybersecurity basics in general, “Usually it’s pretty obvious and wasn’t difficult for the attacker,” he states, “they [organizations] think they [hackers] must have come in through some magical backdoor and usually what we find out is that is not the case.”

The challenge for organizations becomes proving the ROI of cybersecurity, which oftentimes can’t be demonstrated until there’s an attack. Mr. Whalen continues, “they [organizations] may invest in availability of services. They might have to invest in the integrity of their services but investing in security is not always first and forefront…organizations struggle with that if they can't demonstrate a return on investment.”

Another reason why many businesses find themselves exposed is they mistakenly believe cybercriminals only target companies with things of worth.

“There is this perception out there in all industries that criminals only go after organizations who have something. It's not what your business produces, does, or is connected to. It's the fact that you have a business…you have money to pay and you have a digital presence that enables an attacker to do something to you.”

As a leader or cybersecurity expert in the energy and utilities industry, you may be concerned your systems are vulnerable, or unsure about your attack surface area or endpoint security after having read about these network breaches here or elsewhere. That’s where CDW SPEAR comes in.

How to Defend Against Ransomware?

We get wanting to be prepared for anything. SPEAR is CDW’s full-stack approach to ransomware and data protection. Leveraging CDW’s expertise along with best practices from NIST and CIS 18 controls, we’ve created a portfolio of solutions and services designed to counteract the vulnerabilities that ransomware often exploits:

  • Scan (for Risk): Assessments that evaluate your overall security posture.              
  • Prepare (for the Worst): Calculated solutions and services that help you avoid, transfer, or mitigate risk.
  • Expose (the Threat): Targeted solutions and services to expose the active attack in your environment.
  • Assess (Your Response): A dedicated team to partner with you to contain and eradicate an attack.
  • Recover (and Remediate): Services and playbooks to help you quickly restore operational capability and remediate any system impact.


Ransomware has become a matter of “when” and not “if.” Ensure your organization has the tools to help you reduce downtime, minimize risk, and protect your most valuable and sensitive data.