{
	"id": "7dc8a03f-d2ec-443d-bf6e-4c4dd0531f42",
	"created_at": "2026-04-06T00:07:50.904669Z",
	"updated_at": "2026-04-10T03:22:02.591685Z",
	"deleted_at": null,
	"sha1_hash": "ff769d654e78baec60f10f9fbf6ec8899547be96",
	"title": "REvil ransomware gang publishes 'Elexon staff's passports' after UK electrical middleman shrugs off attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 42535,
	"plain_text": "REvil ransomware gang publishes 'Elexon staff's passports' after\r\nUK electrical middleman shrugs off attack\r\nBy Gareth Corfield\r\nPublished: 2020-06-01 · Archived: 2026-04-05 16:54:43 UTC\r\nThe REvil/Sodinokibi ransomware gang has just published what it claimed were files stolen from UK power grid\r\nmiddleman Elexon.\r\nAs reported here, the company was hacked two weeks ago.\r\nThe stolen data was published on REvil's Tor webpage as a cache of 1,280 files, which we understand include\r\ndocuments that appeared to be passports of Elexon staff members and an apparent business insurance application\r\nform. The Register has not verified whether the cache, in a .rar file, contains further information intended to harm\r\nElexon and its staff.\r\nElexon said at the time of the \"cyber attack\" in mid-May that it had identified the \"root cause\" and was \"taking\r\nsteps to restore\" its IT systems.\r\nResponsible for a key financial part of the UK's part-privatised electricity markets, Elexon tots up forecast\r\nelectrical demand from the whole nation in half-hour blocks. It then reconciles the forecast against actual demand\r\nand electrical generation supplied to the National Grid. Cash then flows either from the grid to generators (in cases\r\nwhere supply exceeded demand, so the forecast was wrong) or in the other direction, where underperforming\r\npower generators pay the grid for not supplying enough at the right times.\r\nElexon did not immediately respond to The Register's request for comment. Judging by its previous responses, it\r\nappears the company shrugged off the ransomware attack and simply rebuilt its IT infrastructure from backups,\r\nignoring the criminals' demands to pay them lots of money.\r\nToday's disclosures, if genuine, could be interpreted as revenge for being snubbed – though if this is what\r\nhappened, of course, Elexon absolutely did the right thing by refusing to engage.\r\nBrett Callow of infosec biz Emsisoft told El Reg: \"In the past, ransomware crims' graft and grift would have all\r\nbeen for naught if the company they'd hit was able to restore its data from backups. But half-inching a copy of\r\ncompanies' information provides them with additional leverage and monetisation options.\r\n\"Companies with usable backups may still be willing to pay to prevent their data being published and, even if they\r\nare not, the data may be sold to competitors or sold and traded with other criminals.\"\r\nCallow also speculated, based on previous reports elsewhere, that Elexon may have been running an unpatched\r\nPulse Secure VPN server, although this is of course unconfirmed.\r\nhttps://www.theregister.com/2020/06/01/elexon_ransomware_was_revil_sodinokibi/\r\nPage 1 of 2\n\nThe REvil group has also claimed to have hacked a bunch of organisations, recently including a law firm whose\r\nclients included Madonna, Elton John and Lady Gaga among others. The gang's modus operandi is simple: pay up\r\nor we publish.\r\nAs a financial organisation, Elexon's woes have no impact on electrical generation or supply. Despite REvil's rage,\r\nthe lights will remain resolutely on across the UK tonight. ®\r\nSource: https://www.theregister.com/2020/06/01/elexon_ransomware_was_revil_sodinokibi/\r\nhttps://www.theregister.com/2020/06/01/elexon_ransomware_was_revil_sodinokibi/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.theregister.com/2020/06/01/elexon_ransomware_was_revil_sodinokibi/"
	],
	"report_names": [
		"elexon_ransomware_was_revil_sodinokibi"
	],
	"threat_actors": [],
	"ts_created_at": 1775434070,
	"ts_updated_at": 1775791322,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ff769d654e78baec60f10f9fbf6ec8899547be96.pdf",
		"text": "https://archive.orkl.eu/ff769d654e78baec60f10f9fbf6ec8899547be96.txt",
		"img": "https://archive.orkl.eu/ff769d654e78baec60f10f9fbf6ec8899547be96.jpg"
	}
}