Cyber Incident Victim: Volue
Date:
May 2023
Location:
Norway
Summary
A Norway-based green energy solutions provider experienced a ransomware attack impacting some operations, leading to system shutdowns and restoration efforts using unaffected cloud backups. The incident involved Ryuk ransomware, which encrypts files for profit but lacks an associated data leak site, with no evidence found of data exfiltration—personal or energy-sensitive—during the ongoing investigation. The company advised customers to log off services and change passwords to prevent potential spread, noting that Powel-related systems were targeted while its primary domain remained uncompromised. Most remote employees were unaffected, and recovery progress indicated near-full operational restoration within days, with customer environments showing no direct impact from the attack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 5, 2021, Norway-based green energy technology provider Volue detected a ransomware attack impacting some of its operational systems. The company, formed in 2020 through the merger of Powel, Wattsight, Markedskraft, and Scanmatic, provides industrial IoT, energy trading, water infrastructure management, and optimization software to over 2,200 customers across 44 countries, primarily in Europe. Volue immediately shut down affected applications upon discovery to contain the incident and initiated system restoration procedures. The attackers deployed Ryuk ransomware, a strain known for encrypting victim files to extort payments but not operating a dedicated data leak site at the time of the attack. Volue emphasized this characteristic in its communications, noting Ryuk operators' lack of history in conducting supply chain attacks or publicly leaking stolen data—a assessment corroborated by cybersecurity firms Kaspersky and Digital Shadows.
Volue's investigation confirmed cloud backups remained intact and unaffected by the encryption, enabling recovery efforts. The company directed customers to log off its servers as a precaution against potential ransomware propagation and advised password resets for all Volue services. Forensic analysis revealed the attack specifically targeted systems associated with Powel domains, while the broader Volue domain infrastructure showed no signs of compromise. No evidence of data exfiltration—including personal information or energy-sensitive operational data—was identified. Most employees working remotely during the incident experienced no direct impact. Within days of containment, Volue reported substantial progress restoring systems and anticipated full operational recovery shortly, implementing structured safety validation protocols for customer-facing products and services. The company maintained throughout its response that customer environments and applications showed no direct compromise from the attack, which occurred days before the unrelated Colonial Pipeline ransomware incident involving DarkSide malware in the United States.