BlackSuit Ransomware Group Strikes Nigerian Oil and Gas Giant

Incident Date:

May 6, 2024

World map



BlackSuit Ransomware Group Strikes Nigerian Oil and Gas Giant


Nestoil Group


Black Suit


Lagos, Nigeria

, Nigeria

First Reported

May 6, 2024

Ransomware Attack on Nestoil Group by BlackSuit

Company Profile

Nestoil Limited, a prominent Nigerian oil and gas company, was established in 1991. As the largest indigenous Engineering, Procurement, Construction, and Commissioning (EPCC) service provider in Nigeria and Sub-Saharan Africa, Nestoil stands out in the oil and gas sector. The company is headquartered in Victoria Island, Lagos, and boasts a significant operational base in Port Harcourt. With approximately 2000 direct employees and a reported revenue of $1.09 billion, Nestoil plays a crucial role in promoting local content and sustainability in energy projects.

Specializing in pipeline construction, maintenance, and various oilfield services, Nestoil has been instrumental in setting industry standards within the region. Their extensive facilities support their strategic focus on local content development, which is critical for the Nigerian oil and gas industry.

Details of the Ransomware Attack

The BlackSuit ransomware group, which emerged in 2023 and is linked to the notorious Royal ransomware group, has targeted Nestoil Group. This attack involved the encryption of data on Nestoil's systems and included threats of data leakage unless a ransom was paid. The specifics of the ransom demand remain undisclosed, and the extent of data exfiltration has not been fully detailed. However, the presence of a sample of leaked data suggests that sensitive information may have been compromised.

BlackSuit is a new ransomware family with significant similarities to the Royal ransomware, indicating possible shared origins or collaboration. This ransomware targets both Windows and Linux systems, including critical infrastructure like VMware ESXi servers. The .blacksuit extension is appended to encrypted files, and a ransom note, README.BlackSuit.txt, is left in affected directories. The emergence of BlackSuit highlights its potential as a significant threat due to its sophisticated approach and the broad range of systems it can target.

Vulnerabilities and Target Selection

The attacked company's significant digital footprint and critical role in the energy sector may have made it an attractive target for the BlackSuit group. Companies like Nestoil are often at risk due to the essential nature of their services and the extensive amount of sensitive data they handle. The integration of various IT and operational technology (OT) systems in such companies can also offer multiple vectors for cyberattacks, potentially explaining how BlackSuit could have penetrated Nestoil's defenses.


Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.