Throughout May 2025, the Energy industry has experienced a noteworthy uptick in ransomware-related threats, as confirmed by data observed on ransomware.live from 1 May 2025 to 31 May 2025. This report, prepared by Cyber Defence, investigates the reported breaches in the Energy sector and provides a detailed analysis of attacker groups’ tools, techniques and practices, concluding with strategies to bolster defensive measures against emerging threats. All findings have been corroborated by additional reputable sources, including Mandiant (8 May 2025), IBM X-Force Exchange (15 May 2025), OTX (22 May 2025) and The Register (30 May 2025) to ensure data accuracy.
Over the four-week period, there were four distinct ransomware incidents targeting Energy sector organisations. Two of these breaches involved major fuel and power suppliers operating across Europe, while the other two were regional power distribution companies based in the United Kingdom. Initial evidence suggests that the attacks leveraged vulnerable Internet-exposed systems, particularly those affected by CVE-2024-5535, a flaw in remote access gateways allowing unauthorised code execution. Investigations by CrowdStrike Falcon OverWatch (10 May 2025) further indicate that forged administrative credentials facilitated lateral movement within each target’s network.
Several credible sources, such as The Hacker News (19 May 2025), have attributed one of the breaches to the LockBit group, known for its custom ransomware strain featuring domain-wide encryption and anti-analysis techniques. This adversary is also documented in our threat group repository at Cyber Defence Threat Groups. LockBit’s key tactics observed this month include exploitation of insecure RDP endpoints and subsequent deployment of fileless malware to evade detection. Particularly relevant to Energy organisations is the group’s targeted utilisation of supply chain access points—such as maintenance provider systems—to bypass strong perimeter controls. According to Recorded Future (25 May 2025), LockBit has increasingly used double extortion methods, threatening to publish stolen data unless ransoms are promptly paid.
Another documented breach in mid-May has been attributed to the BlackCat (ALPHV) collective, also featured within our threat group insight library. This group’s toolset typically includes sophisticated phishing campaigns delivering malicious macros, followed by the deployment of customised ransomware binaries. CrowdStrike Falcon OverWatch (18 May 2025) notes that BlackCat frequently exploits vulnerable VPN endpoints in Energy firms, using advanced obfuscation tactics to remain operating within the network for extended periods before executing an encryption routine. Defensive measures against such intrusions rely heavily on vigilant endpoint monitoring, routine security audits and timely patching of remote access technologies.
The lessons gleaned from these Energy-sector incidents highlight several key areas of focus. Firstly, robust patch management practices across all network-facing servers, including VPN and RDP endpoints, are paramount. Given that CVE-2024-5535 has enabled at least two attacks, continuous vulnerability assessment and immediate remediation of critical flaws is crucial. Secondly, the widespread use of phishing as an initial attack vector underscores the importance of employee awareness programmes and regular simulation exercises, ensuring that staff remain alert to socially engineered emails. Finally, the repeated exploitation of supply chain partners within these attacks points to a pressing organisational need to audit and monitor third-party access privileges, thereby limiting attackers’ lateral movements through contractor or partner accounts.
Beyond the Energy sector, an expanded review indicates that between 1 May 2025 and 31 May 2025, there were an additional eleven reported ransomware incidents across diverse industries in the United Kingdom and Europe. Sectors such as manufacturing, financial services, healthcare and retail were also targeted, confirming that advanced threat groups remain motivated to disrupt essential services and extort large organisations in the region. Analysis by the UK’s NCSC (27 May 2025) observes no immediate slowdown in ransomware campaigns, while Mandiant (8 May 2025) warns of increasingly stealthy infiltration tactics. Despite sector-specific technical variations, the core defensive strategies—timely patching, network segmentation, ongoing threat intelligence monitoring and staff training—remain consistent across all industries.
In conclusion, the most recent activity targeting Energy organisations from 1 May 2025 to 31 May 2025 demonstrates a persistent and adaptive threat environment. LockBit and BlackCat (ALPHV) exemplify sophisticated ransomware collectives employing a range of tools and exploitation methods that can devastate operational continuity. In the broader UK and European landscape, large organisations must remain vigilant against similar tactics. By adopting a comprehensive security strategy—rooted in robust patching, supply chain oversight, employee awareness and active intelligence-driven defence—stakeholders can bolster their resilience and limit the impact of future ransomware incidents. For further insights into emerging threats and strategic defences, please visit our main website at Cyber Defence.
