EPM BlackCat ransomware attack

On 12 December 2022, Empresas Públicas de Medellín (EPM) — Colombia's largest publicly owned multi-utility — was struck by a ransomware attack widely attributed to the BlackCat (ALPHV) operation. The intrusion encrypted internal systems and forced one of the country's most important critical-infrastructure operators into days of manual, paper-based working.

What happened

EPM provides electricity, water, natural gas, and sanitation to roughly 123 municipalities and is one of the largest companies in Colombia, with revenues exceeding the equivalent of tens of billions of dollars. On the morning of 12 December 2022, the company detected that internal systems had been encrypted and that online customer services had gone dark.

The following day, EPM told approximately 4,000 employees to work from home and pulled large parts of its IT infrastructure offline to contain the spread. The company publicly characterised the event as a cyberattack while emphasising that the physical supply of utilities — generation, water treatment, and distribution — was never interrupted, because operational technology was isolated from the affected corporate network.

Attribution

EPM never officially named the perpetrator. However, the Chilean security researcher Germán Fernández discovered a fresh sample of ExMatter, the bespoke data-exfiltration tool used by the BlackCat/ALPHV ransomware-as-a-service operation, uploaded to a malware-analysis service from Colombia in the same window. The ExMatter sample pointed to a poorly secured remote server, and researchers concluded BlackCat was behind the EPM intrusion and had stolen corporate data, consistent with the gang's double-extortion model.

Impact

Around 4,000 staff were sent home and reverted to manual processes for billing, procurement, and customer service.
Customer-facing portals, payment channels, and internal email were disrupted for several days.
Utility supply to 123 municipalities continued, but back-office recovery stretched over weeks.
EPM did not publicly confirm any ransom payment, and the precise volume of exfiltrated data was never disclosed.

Why it matters

The EPM attack was one of the most consequential strikes against Latin American critical infrastructure in 2022. It demonstrated both a strength and a warning: the segmentation between IT and operational technology prevented a billing-system compromise from cascading into a loss of power or water — yet a single ransomware event still paralysed the corporate functions of a utility serving millions. For Colombia, it foreshadowed a wave of high-profile incidents — including the Keralty health-network breach days earlier and the 2023 IFX Networks supply-chain attack — that exposed how exposed the country's institutions remained to ransomware extortion.

Timeline

December 12, 2022

EPM detects a ransomware attack that encrypts internal systems and disrupts online services.

December 13, 2022

EPM activates business continuity plans and instructs roughly 4,000 employees to work from home as IT infrastructure is taken offline.

December 14, 2022

EPM confirms publicly that it is the target of a cyberattack, while stressing that electricity, water, and gas supply continues uninterrupted.

December 16, 2022

Chilean researcher Germán Fernández identifies a sample of BlackCat's 'ExMatter' data-theft tool uploaded from Colombia, linking the attack to ALPHV.

December 19, 2022

EPM continues operating manual contingency processes for billing and customer services while restoring systems.

Sources

bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/colombian-energy-supplier-epm-hit-by-blackcat-ransomware-attack/

heimdalsecurity.comhttps://heimdalsecurity.com/blog/blackcat-ransomware-targets-colombian-energy-supplier-epm/

securitynewspaper.comhttps://www.securitynewspaper.com/2022/12/16/biggest-electricity-water-and-gas-company-in-colombia-empresas-publicas-de-medellin-epm-suffers-ransomware-attack/

financecolombia.comhttps://www.financecolombia.com/epm-falls-victim-to-ransomware-attack/

Related incidents

RansomwareResolvedNovember 27, 2022

Keralty / Sanitas RansomHouse ransomware attack

The RansomHouse gang struck Colombian healthcare giant Keralty and its EPS Sanitas and Colsanitas subsidiaries, claiming 3 TB of stolen data and crippling appointment scheduling for a network serving more than 6 million patients.

Victim: Keralty (EPS Sanitas, Colsanitas)

RansomwareResolvedMarch 6, 2022

Rompetrol Hive ransomware attack

The Hive ransomware gang hit Rompetrol, operator of Romania's largest oil refinery Petromidia, demanding a $2 million ransom and knocking out the Fill&Go payment service and corporate websites while refinery operations continued.

Victim: Rompetrol (KMG International)

RansomwareUnknownApril 21, 2026

Engie: a cyberattack claimed by a ransomware group

In April 2026, the Coinbase Cartel extortion group listed French energy giant Engie on its dark web leak site, claiming to have stolen sensitive data and threatening to publish a full dump unless a ransom was paid; Engie did not publicly confirm the breach.

Victim: Engie

RansomwareResolvedDecember 9, 2024

Electrica Group Lynx ransomware attack

The Lynx ransomware gang breached Electrica Group, one of Romania's largest electricity suppliers serving 3.8 million users, disrupting customer-facing services while SCADA and other critical grid systems were isolated and kept running.

Victim: Electrica Group