2 min

Tags in this article

, , ,

South Staffs Water confirmed that its systems were compromised.

The Cl0p ransomware group claimed an attack on UK-based utility supplier South Staffs Water. The ransomware group initially misattributed the attack to a different company, according to a report in ITPro.

South Staffs Water confirmed the attack on Monday, saying it was “experiencing disruption to [its] corporate IT network”. However, the company did not state the attack was ransomware in nature.

Cl0p published a “trove” of stolen documents on its leak blog on Monday, including passport scans, spreadsheets, drivers’ licenses, screenshots of software user interfaces and more.


The ransomware group seemed confused, claiming to have access to more than 5TB worth of data belonging to the victim, which it falsely believed to be Thames Water. The mistake is odd, as many of the published documents clearly show South Staffs Water as the victim.

“Thames Water supplies much of critical water services to people and companies”, read a statement from Cl0p, written in broken English. “Companies like this have much responsibility and we contact them and tell them that they have very bad holes in their systems.”

“We spent months in the company system and saw first-hand evidence of very bad practice. This company is all for money and not deliver reliable service”, the ransomware group added. “It is better to save one pound so management can make bonuses and stock price do well. They lost way when only concentration on finance.”

The Robin Hoods of ransomware?

Cl0p also agreed to not encrypt any of the data belonging to the victim, because doing so would violate the group’s policy to not attack critical infrastructure or healthcare organizations, it said.

Its unorthodox approach to ransomware saw it allegedly exfiltrate data from the water supplier and request money for its return, rather than locking staff out of their environments.

According to Cl0p, the outside negotiators working on South Staffs Water’s behalf offered a low sum for the data’s return and information on how it was able to breach the supplier. Cl0p branded the amount as a “joke”.