Ransomware Attack on Nestoil Group by BlackSuit

Company Profile

Nestoil Limited, a prominent Nigerian oil and gas company, was established in 1991. As the largest indigenous Engineering, Procurement, Construction, and Commissioning (EPCC) service provider in Nigeria and Sub-Saharan Africa, Nestoil stands out in the oil and gas sector. The company is headquartered in Victoria Island, Lagos, and boasts a significant operational base in Port Harcourt. With approximately 2000 direct employees and a reported revenue of $1.09 billion, Nestoil plays a crucial role in promoting local content and sustainability in energy projects.

Specializing in pipeline construction, maintenance, and various oilfield services, Nestoil has been instrumental in setting industry standards within the region. Their extensive facilities support their strategic focus on local content development, which is critical for the Nigerian oil and gas industry.

Details of the Ransomware Attack

The BlackSuit ransomware group, which emerged in 2023 and is linked to the notorious Royal ransomware group, has targeted Nestoil Group. This attack involved the encryption of data on Nestoil's systems and included threats of data leakage unless a ransom was paid. The specifics of the ransom demand remain undisclosed, and the extent of data exfiltration has not been fully detailed. However, the presence of a sample of leaked data suggests that sensitive information may have been compromised.

BlackSuit is a new ransomware family with significant similarities to the Royal ransomware, indicating possible shared origins or collaboration. This ransomware targets both Windows and Linux systems, including critical infrastructure like VMware ESXi servers. The .blacksuit extension is appended to encrypted files, and a ransom note, README.BlackSuit.txt, is left in affected directories. The emergence of BlackSuit highlights its potential as a significant threat due to its sophisticated approach and the broad range of systems it can target.

Vulnerabilities and Target Selection

The attacked company's significant digital footprint and critical role in the energy sector may have made it an attractive target for the BlackSuit group. Companies like Nestoil are often at risk due to the essential nature of their services and the extensive amount of sensitive data they handle. The integration of various IT and operational technology (OT) systems in such companies can also offer multiple vectors for cyberattacks, potentially explaining how BlackSuit could have penetrated Nestoil's defenses.

Sources

• Nestoil Group Official Website
• Estate Intel - Nestoil
• RocketReach - Nestoil Limited Profile
• Security Affairs - BlackSuit Similar to Royal Ransomware
• BleepingComputer - The Week in Ransomware