One in seven ransomware extortion attacks leak critical OT data
Mandiant discovered data including usernames and passwords, IP addresses, and operator panels


Cyber security company Mandiant has found one in seven double-extortion ransomware attacks are leaking sensitive information that could provide access to physical systems.
The company found data stolen from ransomware victims related to operational technology (OT) systems, which are responsible for managing physical processes ranging from manufacturing equipment to energy distribution.
Data discovered included usernames and passwords for OT systems, IP addresses, remote services, asset tags, original equipment manufacturer (OEM) information, operator panels, and network diagrams.
This information, available for anyone to download from the dark web, renders companies more valuable to attack.
"Data from extortion leaks may provide sophisticated actors with information on targets, while limiting their exposure to defenders and cost of operations," the company said, adding that they can use it to makes it easier to launch more precise attacks with a higher impact.
In the study, Mandiant employees downloaded information stolen from ransomware victims and uploaded to 'shaming' sites after victims refused to pay up.
The company identified 1,300 extortion leaks released by ransomware groups in 2021 involving companies likely to use OT systems. It downloaded 70 of these leaks and analyzed the dumps looking for sensitive information.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Data discovered included in-depth network and process documentation for two oil and gas companies, including diagrams and spreadsheets. Mandiant's team also found names, user privileges, and passwords for IT, plant maintenance, and operations employees at a hydroelectric energy company.
Even file sets that did not contain critical OT data often contained administrative data spanning employees, finance, customers, and legal documentation, the company said.
Mandiant used its own publicly available FlareVM Windows-based penetration testing and malware analysis virtual machine for the analysis, along with Autopsy, an open-source tool for digital forensics.
RELATED RESOURCE
The best defence against ransomware
How ransomware is evolving and how to defend against it
OT attacks are rife, according to recent research. In November, Skybox Security revealed that 83% of critical infrastructure companies have suffered at least one OT-related cyber breach in the last three years.
Last month, the Federal Bureau of Investigation (FBI), Cyber Security and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) warned critical infrastructure companies to be on the lookout for attacks from Russia. The advisory detailed OT attacks as a particular danger.
Danny Bradbury has been a print journalist specialising in technology since 1989 and a freelance writer since 1994. He has written for national publications on both sides of the Atlantic and has won awards for his investigative cybersecurity journalism work and his arts and culture writing.
Danny writes about many different technology issues for audiences ranging from consumers through to software developers and CIOs. He also ghostwrites articles for many C-suite business executives in the technology sector and has worked as a presenter for multiple webinars and podcasts.
-
Global cybersecurity spending is going to hit $213 billion in 2025
News Spending across major fronts comes in the wake of rising cloud security threats and growing skills gaps
-
Cloud confusion: Why can't we say what we mean?
Industry Insights Cloud jargon creates confusion, risking security gaps and business vulnerabilities in organizations
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crime
News A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs