NAMA Group Clop Ransomware Targets Oman's Electricity Utility

• .What: Cl0p ransomware listed NAMA Group, Oman's sole electricity/water utility.
• .Who: Potentially all 4.9M Oman residents served by NAMA Group.
• .Data Exposed: Customer data, employee records, and operational infrastructure docs.
• .Outcome: Faces PDPL enforcement; critical infrastructure implications.

On November 21, 2025, the Cl0p ransomware group added NAMA.OM to its dark web leak site - a public listing that signals data exfiltration has already occurred and the victim has either refused to negotiate or failed to respond within the threat actor's deadline.

NAMA Group operates as Oman's sole holding company for electricity generation, transmission, distribution, water desalination, and wastewater treatment. Every resident and business in the Sultanate depends on NAMA's subsidiaries for essential utility services.

Cl0p does not encrypt systems.

The group's operational model since late 2023 has relied exclusively on zero-day exploitation of enterprise file transfer and collaboration software - MOVEit, GoAnywhere, Accellion FTA, and SysAid - to exfiltrate data at scale before the victim detects the intrusion.

This approach eliminates the operational noise of ransomware deployment and reduces dwell time requirements. Cl0p then leverages the stolen data for extortion, publishing batches on its leak site to pressure payment.

The specific enterprise software vulnerability exploited against NAMA Group has not been publicly disclosed.

The timing compounded the regulatory exposure. Oman's Personal Data Protection Law, enacted in 2022, entered full enforcement on February 5, 2026 - just 76 days after Cl0p's listing.

NAMA Group became one of the first critical infrastructure operators in the Sultanate to face a major data exposure incident under the new regulatory framework, with the National Cyber Safety Initiative watching closely.

Customer data from electricity, water, and wastewater services potentially covering Oman's entire 4.9M population. Employee records. Operational infrastructure documentation.

Cl0p's methodology involves zero-day exploitation of enterprise software for data exfiltration without encryption.

Cl0p does not break down doors. It walks through the ones left open by enterprise file transfer software that was either unpatched or exposed directly to the internet.

The group's entire operational model since 2023 has depended on a single class of vulnerability - zero-day flaws in internet-facing managed file transfer and collaboration platforms - and a single outcome: mass data exfiltration before the victim knows an intrusion has occurred.

For a national utility serving every resident in the country, the failure to harden this exact attack surface is not a gap in defense. It is an invitation.

The first control that would have changed the outcome is aggressive patch management and vulnerability scanning for all internet-facing enterprise software, with a 24-to-48-hour remediation window for critical severity flaws.

Cl0p's playbook depends on the gap between zero-day disclosure and organizational patching. Organizations that compress that window to hours instead of weeks remove themselves from Cl0p's target pool entirely.

NAMA Group operated enterprise software with externally reachable interfaces - the same category of software that Cl0p has exploited in every major campaign since MOVEit.

Continuous external attack surface monitoring using tools like Censys, Shodan, or commercial ASM platforms would have identified exposed services before the threat actor did.

The second control is network segmentation that isolates operational technology from enterprise IT and restricts lateral movement between business units.

NAMA Group's subsidiaries span electricity generation, water desalination, and wastewater treatment - each representing distinct operational environments that should never share flat network access with corporate file servers or collaboration platforms.

If Cl0p's initial access was confined to a single business application, segmentation would have prevented the threat actor from reaching customer databases, employee records, and infrastructure documentation in the same operation.

The third control is data loss prevention configured to detect and block bulk data transfers from internal systems to external destinations. Cl0p's exfiltration model moves terabytes of data out of victim environments, typically to attacker-controlled cloud infrastructure.

DLP policies monitoring for anomalous outbound transfer volumes - particularly from file servers and database systems - would have triggered alerts during the exfiltration phase, even if initial access went undetected.

The window between data staging and complete exfiltration is where detection has the highest return.

The fourth control is an incident response plan that accounts for Oman's PDPL notification requirements.

With full PDPL enforcement arriving on February 5, 2026, any organization processing personal data of Oman residents needed a tested breach notification workflow capable of meeting regulatory timelines.

NAMA Group's silence after the Cl0p listing suggests either no such plan existed or the plan was not activated. Under the PDPL, the cost of delayed or absent notification compounds the cost of the breach itself.

Cl0p Dark Web Leak Site, Oman PDPL, NCSI Advisories