Cyber Incident Victim: Ministry of Energy of Ukraine

On April 24, 2018, ransomware compromised the website of Ukraine’s Energy Ministry, rendering it inaccessible and encrypting its files. The attackers replaced the site with an English-language message demanding a payment of 0.1 bitcoin, equivalent to approximately $928 at the time. Ukrainian cyber-police spokeswoman Yulia Kvitko confirmed the incident as isolated, clarifying that no other government websites were impacted and that the ministry’s email systems remained operational. The cyber-police initiated a response, with specialists working to resolve the issue, though no estimated restoration timeline was provided. Security firm AlienVault analyzed the attack, identifying two distinct threat actors: the first, using the alias ‘X-zakaria,’ defaced the website but did not deploy ransomware. A second attacker subsequently exploited a backdoor left by the initial intrusion to encrypt files and implement the ransom screen.

AlienVault researcher Chris Doman characterized both hackers as likely amateurs rather than nation-state actors, citing their limited financial gains from prior attacks—approximately £100 total. The firm noted that while Ukrainian energy entities had historically faced disruptive attacks disguised as ransomware, this incident lacked hallmarks of sophisticated operations. The ransomware’s payment mechanism and the attackers’ operational patterns suggested a financially motivated criminal effort rather than a strategic cyber campaign. The Energy Ministry’s website remained offline during the response, with no public reports of data destruction or secondary impacts beyond the encryption. Ukrainian authorities maintained public assurances of their capacity to manage the incident, emphasizing its containment to a single government domain.