revil attacks Doosan Group

Incident Date:

August 2, 2022

World map



revil attacks Doosan Group


Doosan Group




Export, USA

Philadelphia, USA

First Reported

August 2, 2022

Doosan Group Suffers Ransomware Attack

Company Profile

The Doosan Group, a South Korean multinational conglomerate, has been targeted by the REvil ransomware group. The company operates in the manufacturing sector, specializing in air compressor manufacturing, with a focus on efficiency and customer specifications. Doosan is a Fortune 500 company with a significant presence in South Korea, supporting critical infrastructure, including the nuclear energy sector. The company is also the corporate parent to Bobcat and Škoda Power.

Vulnerabilities and Impact

The attack on Doosan Group was part of a broader trend of ransomware attacks targeting the energy sector, including nuclear facilities and related organizations. The REvil group, active since 2019, is known for its ransomware-as-a-service (RaaS) operations. The attack resulted in the theft of over 1.6 TB of sensitive data from the company and its business partners, with the REvil group publishing multiple samples of the ransomed files to substantiate their claims.

Response and Mitigation

The Korean National Computer Emergency Response Team (KN-CERT) was notified of the attack on Doosan Group by Resecurity, which also gained exclusive access to the company's Active Directory listing. The initial intrusion is believed to have occurred around December 3, 2020. The REvil group's tactics include intermittent encryption, the use of modern specialized programming languages, and dual ransomware attacks involving more than one variant, designed to enhance their adaptability and evasion.

The REvil ransomware group's attack on Doosan Group underscores the increasing prevalence of ransomware attacks targeting the energy sector. Companies in the manufacturing sector, such as Doosan, must remain vigilant and implement robust cybersecurity measures to protect their sensitive data and critical infrastructure.


Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.