The AlphV ransomware group has successfully attacked several businesses owned by the Encevo Group, a large energy company based in Luxembourg.
AlphV uploaded sample files to its deep web platform on Friday evening, claiming to have stolen around 180,000 files totalling more than 150GB in size from Creos, which owns and operates electricity networks and natural gas pipelines in the country.
The data it claims to have stolen includes company contracts, agreements, passports, bills, and emails. The method of attack is double extortion which is typical for the AlphV group and many other contemporary ransomware operations.
One of the files uploaded for public viewing appears to be a recently expired passport. IT Pro has been unable to independently verify the legitimacy of the stolen files but Encevo has confirmed the breach on Creos and Enovos.
IT Pro has also requested further details on the company’s remediation strategy, but it declined to reply.
Encevo Group said the attack occurred between 22-23 July and “a certain amount of data was exfiltrated” but it was doing everything it can to analyse the hacked files.
The companies’ services are not believed to be affected, including all gas pipelines and electricity supplies. Encevo added that there is a breakdown service that is guaranteed to work should any attack-related issues arise, ensuring the continued supply of energy.
In addition to assurances of the attack, the company's phone and email systems remain online, as do its websites.
Creos told IT Pro that all relevant legal and regulatory authorities have been informed of the incident, and that ransomware was involved in the attack. Encevo classified the incident as a data breach rather than confirming it was ransomware.
“For now, the Encevo Group does not yet have all the information necessary to inform personally each potentially affected person,” it said. “This is why we ask our customers not to contact us for the moment.”
The Russia-affiliated ransomware group sometimes referred to as BlackCat, is one of the most prolific ransomware operations currently running.
Experts have alleged that the group has links to the now-disbanded DarkSide which was responsible for the attack on Colonial Pipeline a year ago.
“AlphV is a rebrand of BlackMatter which was a rebrand of DarkSide - and DarkSide was used in the attack on Colonial Pipeline,” said Brett Callow, threat analyst and Emsisoft.
Callow also said that AlphV is “probably at least as busy as LockBit”, which was recently labelled as the most active ransomware operation running at present.
AlphV also claimed attacks on video game giants Bandai Namco and Roblox in July after the FBI issued an earlier warning over the group's success back in April.
Critical infrastructure and providers of critical services are increasingly targeted by cyber attacks due to the amount of disruption they can cause, and the notoriety a cyber criminal group can gain from causing such harm.
The attack on Colonial Pipeline last year demonstrated the importance of strong cyber security measures at businesses like these and drew so much attention from law enforcement agencies that the hackers were thought to have entered hiding as a result.
Much of the ransom ultimately paid to the hackers after the Colonial Pipeline attack was recovered by US authorities but the incident prompted a federal-level overhaul in cyber security practices to prevent an attack of its scale ever happening again.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Alleged LockBit developer extradited to the USNews A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field dayNews February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impactedNews The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
-
Warning issued over prolific 'Ghost' ransomware groupNews The Ghost ransomware group is known to act fast and exploit vulnerabilities in public-facing appliances
-
The Zservers takedown is another big win for law enforcementNews LockBit has been dealt another blow by law enforcement after Dutch police took 127 of its servers offline
-
There’s a new ransomware player on the scene: the ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry – and researchers warn it’s only going to get worse for potential victimsNews Security experts have warned the BlackLock group could become the most active ransomware operator in 2025
