{
	"id": "3e5ab1b7-ca10-46db-a787-a3e10de927b0",
	"created_at": "2026-04-06T01:31:54.949989Z",
	"updated_at": "2026-04-10T13:11:20.165609Z",
	"deleted_at": null,
	"sha1_hash": "79af367891410fd4b03838d9566b559a938d95eb",
	"title": "OT Ransomware Extortion Attacks Leak Critical OT Information",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3251096,
	"plain_text": "OT Ransomware Extortion Attacks Leak Critical OT Information\r\nBy Mandiant\r\nPublished: 2022-01-31 · Archived: 2026-04-06 01:26:52 UTC\r\nWritten by: Daniel Kapellmann Zafra, Corey Hidelbrandt, Nathan Brubaker, Keith Lunden\r\nData leaks have always been a concern for organizations. The exposure of sensitive information can result in\r\ndamage to reputation, legal penalties, loss of intellectual property, and even impact the privacy of employees and\r\ncustomers. However, there is little research about the challenges posed to industrial organizations when threat\r\nactors disclose sensitive details about their OT security, production, operations, or technology.\r\nIn 2021, Mandiant Threat Intelligence continued observing ransomware operators attempting to extort thousands\r\nof victims by disclosing terabytes of stolen information on shaming sites. This trend, which we refer to as\r\n“Multifaceted Extortion,” impacted over 1,300 organizations from critical infrastructure and industrial production\r\nsectors in just one year.\r\nTo validate the extent to which multifaceted extortion leaks represent a risk to OT, Mandiant analyzed a semi-random selection of samples from industries that typically leverage OT systems for production. Using various\r\ntechnical and human resources, we downloaded and parsed through many terabytes of dump data and found a\r\nsubstantial amount of sensitive OT documentation. This included network and engineering diagrams, images of\r\noperator panels, information on third-party services, and more. We note that our analysis of each dump was\r\nlimited due to the scale of our dataset and that a more targeted examination of a handful of dumps would probably\r\nuncover more documentation per organization.\r\nBased on our analysis, one out of every seven leaks from industrial organizations posted in ransomware extortion\r\nsites is likely to expose sensitive OT documentation. Access to this type of data can enable threat actors to learn\r\nabout an industrial environment, identify paths of least resistance, and engineer cyber physical attacks. On top of\r\nthis, other data also included in the leaks about employees, processes, projects, etc. can provide an actor with a\r\nvery accurate picture of the target’s culture, plans, and operations.\r\nMandiant Found a Range of Sensitive OT Documents on Extortion Sites\r\nIn early 2020, Mandiant observed media claims indicating ransomware leaks exposed aerospace manufacturing\r\ndesigns and third party technical documentation from an electric utility. A year later, an actor reshared a 2.3 GB\r\nDoppelpaymer extortion leak from a major Latin American oil and gas organization in an underground forum,\r\nclaiming it contained OT information.\r\nWe analyzed that leak and found a variety of sensitive data including usernames and passwords, IP addresses,\r\nremote services, asset tags, original equipment manufacturer (OEM) information, operator panels, network\r\ndiagrams, etc. All information which a sophisticated threat actor would be hunting for during reconnaissance or\r\nwhat Mandiant’s red teamers would employ to identify attack paths in a target OT network.\r\nhttps://www.mandiant.com/resources/blog/ransomware-extortion-ot-docs\r\nPage 1 of 8\n\nFigure 1: Extortion leak for a major Latin American oil and gas organization\r\nTo better understand the risk these data leaks pose to OT asset owners, we built a large dataset. Over a couple of\r\nmonths, a small team of analysts and data researchers filtered through hundreds of leaks, collected, and analyzed\r\nsamples to find OT documentation. We identified at least 10 dumps that contained sensitive OT technical data.\r\nDue to the volume of data in many leaks, we performed only superficial analysis of the dumps, however had we\r\ninvested additional resources to process our samples further, we would have likely found a significant amount of\r\nadditional information.\r\nWe note that most threat actors would likely focus their efforts on a smaller number of organizations due to\r\nresource limitations or a preexisting interest in a specific target or targets. This would allow the actor to focus their\r\nresources on finding more information on each target, which would be essential for any sophisticated attack.\r\nInitial Triage\r\nIn 2021, we identified over 3,000 extortion leaks released by ransomware operators. Around 1,300 of these leaks\r\nwere from organizations in industrial sectors that are likely to use OT systems, such as energy and water utilities,\r\nor manufacturing. We selected and retrieved a couple hundred of these samples by skimming through readily\r\navailable file listings or other indicators of interest such as comments from the actor, or the targets’ subindustry. In\r\nmany cases, we were not able to acquire or access data from a leak because of timing or errors in the shared files;\r\nin these cases, we discarded the leak.\r\nhttps://www.mandiant.com/resources/blog/ransomware-extortion-ot-docs\r\nPage 2 of 8\n\nFigure 2: Filtered volume of extortion leaks\r\nAfter initial triage, we collected and manually analyzed approximately 70 leaks using custom and publicly\r\navailable tools. We found that one out of every seven leaks contained at least some useful OT information, while\r\nthe rest contained data related to employees, finances, customers, legal documentation, among other things.\r\nMandiant did not further analyze those files, though we note they remain available to threat actors for other\r\npurposes.\r\nCollecting Several Terabytes of Already Filtered Data\r\nRansomware extortion leaks are mostly shared on a variety of threat actor-operated sites on the dark web.\r\nAlthough each actor operates differently, advertisements for incoming leaks are typically posted in hacker forums\r\nor on social media. Anyone with access to a Tor browser can visit the sites and download available dumps.\r\nhttps://www.mandiant.com/resources/blog/ransomware-extortion-ot-docs\r\nPage 3 of 8\n\nFigure 3: Example images from ransomware extortion sites\r\nDownloading a single extortion leak is very simple but collecting multiple samples from different leaks is quite\r\ncomplex given the enormous volume of available data. The ability to download each of these leaks depends on\r\nmultiple factors such as the infrastructure from the attacker and the downloader, the time during which the data is\r\nexposed, the number of users acquiring the file, and the quality of the file itself.\r\nAcquiring each dump may require multiple hours and sometimes days. The dumps can often fill entire hard drives\r\nor virtual machines. To be able to collect, store, and further analyze multiple dumps, Mandiant leveraged a\r\ncustom-built internal collections pipeline. It is likely that only well-resourced actors would have enough resources\r\nto reproduce this approach.\r\nAnalyzing the Samples to Find Sensitive Technical Documentation\r\nWe leveraged manual and automated file analysis to hunt through the data from interesting samples. We looked for\r\ndocuments such as network and process diagrams, machine interfaces, asset inventories, usernames and\r\npasswords, and project files. In a few cases we also examined third-party vendor agreements.\r\nMethod #1: File Listing of Manual Analysis\r\nhttps://www.mandiant.com/resources/blog/ransomware-extortion-ot-docs\r\nPage 4 of 8\n\nWe browsed through file listings to identify keywords that hinted at the existence of OT-related data. We obtained\r\nthe file listings in a few ways:\r\nSometimes actors released a directory or text file listing to advertise the extortion leak.\r\nIf there was no file listing available, we attempted to create it ourselves.\r\nFor small and medium-sized dumps we used Autopsy, a free publicly available forensics tool. The\r\ntool is also included in Mandiant’s FLARE VM image which is distributed as open source.\r\nFor larger dumps, we used custom-built tools or downloaded the files locally to build a listing via\r\ndefault tools like rar or 7z.\r\nIf we were not able to acquire a listing, we browsed manually through file names.\r\nIn some cases, a quick look at the listing and keyword searching was enough to determine if the dump was\r\nsuitable for analysis, but in other cases the file naming conventions did not reveal much information. Another\r\naspect that added a layer of complexity was that the extortion leaks contained data in various languages.\r\nMethod #2: Forensic Analysis with Public and Custom Tools\r\nFor small and medium-sized dumps we used Autopsy, which enabled us to analyze relatively large-sized folders.\r\nThe tool can parse a file and provide summaries of timestamps, file types, keywords, and other useful data. We\r\nwere also able to search for keywords using regular expressions to find data such as IP addresses or usernames,\r\nand to quickly visualize .jpeg images of existent files.\r\nFigure 4: Analysis of extortion leak files using Autopsy\r\nHowever, Autopsy struggled to analyze larger dumps. It would require multiple hours to parse a dump of just a\r\ncouple gigabytes, yet we had identified leaks that contained terabytes of data. As a result, we had to build custom\r\ntools to visualize and analyze larger amounts of data. We note that even using custom tooling, we still required\r\nsignificant storage capabilities and human investment to handle the data.\r\nhttps://www.mandiant.com/resources/blog/ransomware-extortion-ot-docs\r\nPage 5 of 8\n\nWe Found a Substantial Amount of OT Documentation\r\nFinding sensitive OT documentation across such a large volume of files is not simple, but it is possible. Our\r\nfindings included data from organizations across different sectors and regions. Although each of the leaks\r\ncontained full information about the victim, we redacted their names and other proprietary information.\r\nVictim\r\n(Names Redacted)\r\nLeak Contents\r\nManufacturer of\r\nindustrial and\r\npassenger trains\r\nPassword administration credentials for an OEM, requirements for control\r\narchitecture and communication channels for European tram vehicle, backups of\r\nSiemens TIA Portal PLC project files, etc.\r\nTwo oil and gas\r\norganizations\r\nIn-depth network and process documentation, including diagrams, HMIs,\r\nspreadsheets, etc.\r\nControl systems\r\nintegrator\r\nEngineering documentation from customer projects (Some files were password\r\nprotected, which we did not attempt to bypass).\r\nHydroelectric energy\r\nproducer\r\nMost data was financial and accounting related, however we identified a list of\r\nnames, emails, user privileges, and some passwords from IT, plant maintenance,\r\nand operations employees.\r\nSatellite vehicle\r\ntracking service\r\nprovider\r\nProduct diagrams, visualizations, and source code from a proprietary platform used\r\nto track automobile fleets via Global Positioning System (GPS).\r\nRenewable energy\r\nproducer\r\nLegal agreements between the victim and customers stating the conditions for\r\nmaintenance and supply of renewable energy infrastructure. The contracts stated\r\nthat the service provider had full access to the third party’s SCADA system via\r\npublic internet IP addresses.\r\nTable 1: Selection of findings\r\nSophisticated Threat Actors Can Leverage Data Leaks to Support Reconnaissance\r\nEfforts\r\nSensitive OT and network documentation exposed in ransomware extortion leaks is readily available for anyone to\r\ndownload, including security researchers, industry competitors, or threat actors. As we have highlighted, the most\r\nconcerning scenario involves well-resourced actors that have the capability to systematically hunt for data to learn\r\nabout specific targets.\r\nHistorically, espionage campaigns have helped state-sponsored groups to acquire details about the\r\noperations of industrial organizations. This reconnaissance data has supported different stages of real cyber\r\nhttps://www.mandiant.com/resources/blog/ransomware-extortion-ot-docs\r\nPage 6 of 8\n\nphysical attacks such as the Ukraine power outages in 2015 and 2016 and the TRITON incident.\r\nData from extortion leaks may provide sophisticated actors with information on targets, while\r\nlimiting their exposure to defenders and cost of operations.\r\nActors may also select targets based on readily available sensitive data about the victim’s\r\ninfrastructure, assets, security flaws, and processes.\r\nAttacks that leverage higher levels of cyber physical reconnaissance data are likely to result in more\r\nsignificant and precise impacts.\r\nMandiant has released blogs describing how we use network details and process documentation to\r\nmodel attack scenarios during OT red teaming engagements.\r\nActors that have limited resources and capabilities will likely have more limited visibility into data from\r\nlarge extortion leaks. However, they can still explore dumps learn about an organization, satisfy their\r\ncuriosity, or reshare the contents.\r\nProtecting OT Data from Multifaceted Extortion Leaks\r\nBased on our analysis, one out of every seven leaks from industrial organizations posted in ransomware extortion\r\nsites is likely to expose sensitive OT documentation. Access to this type of data can enable threat actors to learn\r\nabout an industrial environment, identify paths of least resistance, and engineer cyber physical attacks. On top of\r\nthis, other data also included in the leaks about employees, processes, projects, etc. can provide an actor with a\r\nvery accurate picture of the target’s culture, plans, and operations.\r\nEven if the exposed OT data is relatively old, the typical life span of cyber physical systems ranges from twenty to\r\nthirty years, resulting in leaks being relevant for reconnaissance efforts for decades—much longer than exposed\r\ninformation on IT infrastructure. To prevent and mitigate the risks presented by exposed OT data, we suggest the\r\nfollowing:\r\nCreate and enforce robust data handling policies for employees and subcontractors to ensure that internal\r\ndocumentation is protected. Avoid storing highly sensitive operational data in less-secure networks.\r\nPlace special attention on selecting subcontractors that implement comprehensive security programs to\r\nsafeguard operational data.\r\nVictims of ransomware intrusions should assess the value of any leaked data to determine what\r\ncompensatory controls can help decrease the risk of further intrusions.\r\nChange any leaked credentials and API keys. Consider changing exposed IP addresses for critical systems\r\nand OT jump servers.\r\nPeriodically conduct red team exercises to identify externally exposed and insecure internal information.\r\nMandiant offers a suite of service options, including OT red teaming, to help OT asset owners\r\nmitigate risk or respond to incidents after they occur.\r\nAcknowledgements\r\nThis research was made possible thanks to the hard work of many people not listed on the by line. A huge thanks\r\nto the Mandiant Research Team and everyone else who supported this effort.\r\nPosted in\r\nhttps://www.mandiant.com/resources/blog/ransomware-extortion-ot-docs\r\nPage 7 of 8\n\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/blog/ransomware-extortion-ot-docs\r\nhttps://www.mandiant.com/resources/blog/ransomware-extortion-ot-docs\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.mandiant.com/resources/blog/ransomware-extortion-ot-docs"
	],
	"report_names": [
		"ransomware-extortion-ot-docs"
	],
	"threat_actors": [],
	"ts_created_at": 1775439114,
	"ts_updated_at": 1775826680,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/79af367891410fd4b03838d9566b559a938d95eb.pdf",
		"text": "https://archive.orkl.eu/79af367891410fd4b03838d9566b559a938d95eb.txt",
		"img": "https://archive.orkl.eu/79af367891410fd4b03838d9566b559a938d95eb.jpg"
	}
}