K-Electric NetWalker ransomware attack
NetWalker ransomware crippled the billing and online systems of Karachi's sole electricity supplier and demanded a $3.85 million ransom that would double to $7.7 million; when K-Electric refused, the gang dumped an 8.5 GB archive of stolen data online.
- Victim
- K-Electric
- users
- 2.5M
On 7 September 2020, K-Electric — the sole electricity provider for Karachi, Pakistan's largest city of more than 20 million people — was struck by the NetWalker ransomware. The attack encrypted internal systems and knocked out the utility's online billing and customer-service portals, while the operators demanded one of the largest publicly reported ransoms ever levied against a Pakistani organisation.
What happened
NetWalker (also tracked as Circus Spider) was a ransomware-as-a-service operation that ran a classic double-extortion scheme: encrypting victims' files while also exfiltrating data to coerce payment. After breaching K-Electric, the gang locked systems serving roughly 2.5 million customer accounts and disrupted the company's ability to issue and accept online bill payments.
Critically, electricity supply itself was not interrupted — operational technology controlling power generation and distribution remained separate from the affected IT systems. The damage was concentrated in customer-facing and back-office functions.
The ransom
NetWalker's dark-web leak site posted a countdown demanding $3.85 million in bitcoin within seven days, warning that the figure would double to $7.7 million if the deadline passed. The note threatened to publish stolen data and permanently destroy the decryption keys.
K-Electric initially downplayed the incident, stating that customer data "remained intact and secure" following its forensic review. The company did not pay.
The data leak
On 5 October 2020, having received no payment, NetWalker followed through and published an 8.5 GB archive of files stolen from K-Electric. Pakistani security firm Rewterz, which examined the dump, reported it contained financial data, customer information, engineering reports, maintenance logs, unaudited financial statements, turbine diagrams, and customer billing statements — contradicting the utility's earlier assurances that no data had been compromised.
Why it matters
The K-Electric attack was a wake-up call for critical-infrastructure cybersecurity in Pakistan. It showed that a financially-motivated ransomware crew could paralyse the administrative backbone of a major national utility serving a megacity, and that refusing to pay carries the real cost of mass data exposure. NetWalker itself was dismantled in January 2021 when international law enforcement seized its infrastructure and charged an affiliate, but the K-Electric breach remained a defining example of ransomware reaching into emerging-market essential services.
Timeline
NetWalker ransomware encrypts K-Electric systems, disrupting online billing and customer-facing services across Karachi.
Customers report the inability to view or pay bills online; K-Electric says power supply itself is unaffected.
NetWalker's leak site demands $3.85 million in bitcoin within seven days, threatening to double it to $7.7 million.
Researchers confirm the NetWalker strain and the double-extortion threat to publish stolen data.
After K-Electric refuses to pay, NetWalker publishes an 8.5 GB archive of stolen files online.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/netwalker-ransomware-hits-pakistans-largest-private-power-utility/
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/hackers-leak-files-stolen-in-pakistans-k-electric-ransomware-attack/
- dawn.comhttps://www.dawn.com/news/1578882
- securityaffairs.comhttps://securityaffairs.com/108075/malware/k-electric-netwalker-ransomware-attack.html