ISLAMABAD:The Pakistan Petroleum Limited (PPL), one of the country’s leading state-run oil and gas companies, has fallen victim to a major cyberattack, leaving its IT systems crippled for the past two days.
According to sources, hackers operating under the alias “Blue Locker” have encrypted PPL’s servers, blocked access to backups, and are now demanding a ransom in exchange for a decryption tool and a promise not to leak sensitive data.
The company’s entire financial system has been brought to a standstill, as operations remain suspended.
As per sources, the encrypted systems include virtual machines and financial servers, and the attackers claim to have exfiltrated vital data related to operations, contracts, and employee information.
In an alarming email sent to PPL employees, the hackers stated:
“Your computers and servers are encrypted, backups are deleted from your network and copied. We have stolen some of your business data and employee information, including but not limited to TMC Data (Sui, Adhi, etc.) and contracts… If you don’t contact us with a quote, we will report the hack to mainstream media and release your data to social media and competitors.”
The message also warned that any attempt to modify or recover files independently could result in permanent data loss.
PPL in an official statement commented that: “Pakistan Petroleum Limited (PPL) recently identified a cybersecurity incident involving a ransomware intrusion targeting parts of its IT infrastructure. The event was detected on August 6, 2025, and our internal cybersecurity protocols were immediately activated.
Our IT and cybersecurity teams, in collaboration with external experts, took prompt and effective containment measures, including the temporary suspension of select non-critical IT services as a precaution to limit potential impact and ensure the integrity of our systems.
PPL operates a multi-layered cybersecurity framework, and thanks to these systems, the threat was rapidly isolated. At this point, there is no indication of compromise to business-critical or sensitive data. Core operational systems remain unaffected, and our Joint Venture (JV) partners and external stakeholders continue to operate without disruption.
We can confirm that a ransomware note was received from an external actor identifying themselves as “Proton.” In accordance with best practices and legal guidelines, the matter has been reported to relevant law enforcement and regulatory authorities. Investigations are ongoing in coordination with these agencies.
We remain committed to full transparency and are conducting a comprehensive forensic analysis to assess the scope and reinforce our cyber resilience. Our teams are working diligently to restore full system functionality in a secure and phased manner.
PPL places the highest priority on safeguarding its digital infrastructure and remains focused on maintaining the trust of its stakeholders through timely action and proactive cyber risk management.”
The hacking incident has raised serious concerns about the cybersecurity resilience of critical national infrastructure, especially in the energy sector. The attackers, using encryption and threatening exposure, have demanded direct negotiations, stating that intermediaries or cybersecurity consultants should not be involved.
So far, it remains unclear whether PPL has engaged with the hackers or reported the matter to law enforcement or the National CERT (Computer Emergency Response Team).
The sources also informed that the company’s IT experts and management are in negotiations with the hackers, who have taken control of PPL’s IT system for the past two days. They said that the administration has lost control over the company’s financial operations. They further revealed that the government and relevant authorities have been fully informed about the situation, and a request has been made to these institutions to help restore the company’s systems. Other oil and gas companies have also been alerted and warned to take immediate precautionary measures and necessary steps, they added.
Cybersecurity experts warn that such attacks can compromise national energy security and stress the need for urgent investment in digital infrastructure and threat monitoring systems across all state-owned enterprises.
