Pakistan Petroleum Limited (PPL), one of the country’s major state-run oil and gas enterprises, has experienced a serious cybersecurity breach that has paralyzed its IT infrastructure for two consecutive days. The attack, reportedly carried out by a group identifying itself as “Blue Locker,” has resulted in the encryption of PPL’s servers and denial of access to backup data. The attackers are now demanding a ransom in exchange for a decryption tool and a commitment not to release sensitive company data.
According to internal sources, the affected systems include virtual machines and financial servers. The hackers claim to have exfiltrated key operational data, contract information, and employee records. In an email addressed to company staff, the threat actors warned that they had deleted backups and stolen business-critical data. They further stated that unless direct communication is initiated with them, they would disclose the breach to mainstream media and competitors and leak the stolen data on public platforms. The message also cautioned that any attempts to independently recover the files could result in permanent data loss.
PPL, in its official statement, confirmed the detection of a ransomware incident targeting segments of its IT network. The intrusion was identified on August 6, 2025, and containment protocols were swiftly activated. In collaboration with external cybersecurity experts, the company suspended certain non-critical IT services to minimize impact and safeguard system integrity. PPL noted that its multi-layered cybersecurity framework allowed it to rapidly isolate the threat. At this stage, the company maintains that core operational systems have not been compromised and that Joint Venture (JV) partners and external stakeholders remain operational.
The company acknowledged receipt of a ransom note from an entity calling itself “Proton.” In line with legal requirements and cybersecurity best practices, the incident has been reported to law enforcement and regulatory bodies. Investigations are underway in partnership with these agencies. A full forensic analysis is also being conducted to determine the scope of the breach and further strengthen cybersecurity defenses. PPL reiterated its commitment to restoring system functionality in a phased and secure manner while ensuring transparent communication with stakeholders.
Despite the company’s assurances, sources revealed that negotiations between PPL officials and the attackers have been ongoing. The breach has significantly impacted financial operations, which remain suspended. The attackers are reportedly insisting on direct negotiations and have warned against involving intermediaries or cybersecurity consultants. Government institutions have been briefed on the situation, and assistance has been sought to restore the affected systems.
Other oil and gas firms have also been alerted to the incident and advised to adopt immediate preventive measures. Experts in the cybersecurity field have raised alarms over the implications of such attacks on national energy infrastructure and have stressed the urgent need for enhanced investment in digital defense capabilities, incident response mechanisms, and threat intelligence systems for state-owned enterprises.
