{
	"id": "ae09f90f-048a-476a-8f0b-88e2188413cf",
	"created_at": "2026-04-06T00:08:43.394726Z",
	"updated_at": "2026-04-10T03:23:51.255219Z",
	"deleted_at": null,
	"sha1_hash": "dc95e5f2198eed29b7d7f1de869a66a9156a170d",
	"title": "Ragnar Locker Likely Behind Attack on Greek Gas Operator",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 370066,
	"plain_text": "Ragnar Locker Likely Behind Attack on Greek Gas Operator\r\nBy Mihir Bagwe\r\nArchived: 2026-04-05 17:15:07 UTC\r\nCritical Infrastructure Security , Fraud Management \u0026 Cybercrime , Ransomware\r\nThreat Group Says DESFA Did Not Pay Ransom, Releases Confidential Data (MihirBagwe) • August 24, 2022    \r\nImage: Shutterstock\r\nRagnar Locker ransomware group released 361 gigabytes of what appears to be confidential data belonging to\r\nGreek national natural gas pipeline operator DESFA. The crime group says the alleged victim refused to negotiate\r\nand so it made good on its data dump threat. Among the leaked documents are engineering designs and budget and\r\nrevenue documents.\r\nSee Also: Top 10 Actions During a Ransomware Attack\r\n\"DESFA company didn't pay any attention on the possible risk of data leakage,\" the ransomware gang wrote on its\r\nleak site on Tuesday. \"So, as we promised today we are publishing the full Data which were downloaded from\r\nDESFA network.\r\nThe pipeline company confirmed last week a cyberattack on its systems that could lead to a data leak. The\r\ncompany did not respond to Information Security Media Group's request for comment on the Ragnar Locker's\r\nclaims.\r\nhttps://www.bankinfosecurity.com/ragnar-locker-likely-behind-attack-on-greek-gas-operator-a-19907\r\nPage 1 of 3\n\nISMG's review of the data shows several files that appear to be future budget and past revenue spreadsheets;\r\ncopies of non-disclosure agreements with customers and partners; engineering designs and their backups in a\r\ndirectory format. The authenticity of the data could not be immediately verified.\r\nTimeline of Events\r\nRagnar Locker added DESFA to its victim list on its site leak on Friday. The group posted a data file-tree of 4.8\r\nmegabytes as a proof of its claims, along with screenshots of the documents allegedly belonging to DESFA.\r\nOn Saturday, DESFA said some of its systems were affected by a cyberattack and that an undisclosed number of\r\ndirectories and files may have been leaked. It did not specify the identity of the attacker, but said it \"remains firm\r\nin its position not to negotiate with cybercriminals.\"\r\nThe company said it was investigating the root cause of the attack with technical experts, alerted relevant\r\nauthorities and deactivated most of its IT services as a precautionary measure.\r\nThe shutdown does not impact the national natural gas system, it said. \"The management of the NNGS continues\r\nto operate smoothly and DESFA continues to supply natural gas to all entry and exit points of the country safely\r\nand adequately,\" it says.\r\nScreenshot of alleged budget document posted on Ragnar Locker's leak site (Source: ISMG)\r\nDonut Leaks Link\r\nThe same set of data has also appeared on a separate leak site, called Donut Leaks, Bleeping Computer reports.\r\nhttps://www.bankinfosecurity.com/ragnar-locker-likely-behind-attack-on-greek-gas-operator-a-19907\r\nPage 2 of 3\n\nDonut Leaks is linked to an extortion group that reportedly attacked U.K. architectural firm Sheppard Robson and\r\nmultinational construction company Sando, and two other undisclosed companies. The latter's attack was\r\nreportedly claimed by the Hive ransomware group.\r\nThe link likely means that the \"threat actor running Donut Leaks is a pen tester or an affiliate for both Hive,\r\nRagnar Locker and possibly other ransomware operations,\" the Bleeping Computer report says.\r\nSource: https://www.bankinfosecurity.com/ragnar-locker-likely-behind-attack-on-greek-gas-operator-a-19907\r\nhttps://www.bankinfosecurity.com/ragnar-locker-likely-behind-attack-on-greek-gas-operator-a-19907\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bankinfosecurity.com/ragnar-locker-likely-behind-attack-on-greek-gas-operator-a-19907"
	],
	"report_names": [
		"ragnar-locker-likely-behind-attack-on-greek-gas-operator-a-19907"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434123,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dc95e5f2198eed29b7d7f1de869a66a9156a170d.pdf",
		"text": "https://archive.orkl.eu/dc95e5f2198eed29b7d7f1de869a66a9156a170d.txt",
		"img": "https://archive.orkl.eu/dc95e5f2198eed29b7d7f1de869a66a9156a170d.jpg"
	}
}