Cyber Incident Victim: Encino Energy
Date:
Feb 2023
Location:
United States of America
Summary
A ransomware group known as ALPHV targeted Encino Energy, a prominent U.S. oil and gas producer, claiming unauthorized access to 400GB of data. The victim confirmed investigating and remediating the incident, insisting no operational impact occurred but declined to disclose specifics regarding ransom demands, payments, or data verification. ALPHV, a rebranded group linked to previous high-profile attacks on critical infrastructure, has a history of disrupting energy sector operations, including incidents affecting European oil companies that forced manual processes and supply rerouting. Broader industry reports indicate ALPHV was among the most active ransomware threats to industrial entities, with multiple energy sector compromises noted during the preceding period.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Encino Energy, Ohio's largest oil producer and a major U.S. natural gas company, experienced a cyberattack in February 2023 that became public when the ALPHV ransomware group listed the organization on its dark web leak site. The Houston-based company had not disclosed the breach until contacted by media, despite ALPHV allegedly exfiltrating approximately 400GB of data. Encino spokesperson Jackie Stewart confirmed unauthorized activity occurred, stating the company investigated and remediated the issue, but declined to specify whether this constituted a ransomware attack, if payment was made, or if the leaked data’s authenticity was verified. The exact timeline of the intrusion remains undisclosed, though ALPHV's posting appeared shortly before February 24. Encino asserted no operational disruptions occurred, maintaining business continuity throughout the incident. The ALPHV group did not publish ransom demands or deadlines alongside their claim. Stewart did not address whether federal agencies like the Transportation Security Administration (TSA) were notified, despite mandates requiring critical pipeline operators to report such events following the 2021 Colonial Pipeline incident.
ALPHV, also operating as BlackCat, is a rebrand of the BlackMatter ransomware operation, which itself evolved from the DarkSide group responsible for the Colonial Pipeline attack. Recorded Future News contextualized the Encino incident within ALPHV’s broader targeting of energy infrastructure, referencing their February 2022 attack on European oil firms Oiltanking and Mabanaft, subsidiaries of Marquard & Bahls. That incident severely disrupted fuel distribution systems across Germany, forcing manual operations at gas stations and supply rerouting by Shell. Industrial cybersecurity firm Dragos ranked ALPHV as the fourth-most active ransomware group targeting industrial sectors in 2022, noting 21 attacks against oil and gas companies that year. The Encino breach followed early 2023 ransomware incidents like the disruption of Canada’s Qulliq Energy Corporation’s payment systems. While Encino reported no operational consequences, ALPHV’s history of targeting critical infrastructure highlights the persistent threat to energy sector organizations.