🇴🇲 Oman PDPLApril - August 202410 min read
# Special Oilfield Services: Double-Hit by LockBit 3.0 & Meow Ransomware
Special Oilfield Services Company LLC (SOS), an Oman-based oilfield services provider,
suffered the rare and damaging distinction of being targeted by two separate ransomware
groups within the same year. LockBit 3.0 listed SOS on its leak site on April 10, 2024,
with a two-day deadline for ransom negotiations. Approximately four and a half months
later, on August 31, 2024, the Meow ransomware group listed SOS on its own leak site,
advertising an 800-megabyte data pack for sale - representing a shift from
traditional ransom demands to a data-brokering model where stolen data is sold to the
highest bidder rather than held for ransom.
The Meow listing specifically described the stolen data as containing employee dates of
birth, passport scans, client information, payment documents, contracts, and
professional certifications. The LockBit 3.0 attack preceded Operation Cronos, the
international law enforcement operation that disrupted LockBit's infrastructure
in February 2024, suggesting the SOS compromise may have been one of the group's
final operations before disruption. Meow ransomware uses a Conti-based variant,
representing an independent malware lineage from LockBit, confirming that SOS was
compromised by two genuinely separate threat actors rather than a single group
operating under different names.
## Key Facts
- .**What:** SOS hit by LockBit 3.0 and Meow ransomware within five months.
- .**Who:** SOS employees, clients, and oilfield contractors in Oman.
- .**Data Exposed:** Passport scans, client contracts, payment documents, and certifications.
- .**Outcome:** Dual PDPL notification obligations; 800MB data pack sold by Meow.
## What Was Exposed
- .Employee dates of birth combined with other PII, providing the foundational elements
for identity fraud and social engineering campaigns targeting SOS personnel
- .Passport scans for employees - complete identity document images that enable
document forgery, identity theft, and fraudulent border crossings, with particular
risk for expatriate workers whose immigration status depends on valid documentation
- .Client information revealing SOS's commercial relationships with oil and gas
operators in Oman, including contact details, project associations, and contractual
arrangements that could be exploited for targeted spear-phishing or competitive
intelligence
- .Payment documents including invoices, purchase orders, and payment confirmations
that expose the company's financial flows, pricing structures, and banking
relationships
- .Contracts and commercial agreements detailing the terms, conditions, and financial
arrangements between SOS and its clients, potentially including confidentiality
clauses whose violation by the breach itself creates additional legal exposure
- .Professional certifications for employees, including safety qualifications, equipment
operation licenses, and industry-specific credentials that are required for oilfield
operations and whose compromise could enable unqualified individuals to falsely claim
certified status
The double-hit scenario facing SOS is instructive for the entire cybersecurity community
because it demolishes several common assumptions about ransomware attacks. The first
assumption is that a ransomware attack is a singular event - that an organization
gets attacked, responds, recovers, and moves on. The SOS case demonstrates that the
same organization can be targeted by multiple groups, potentially exploiting the same
or related vulnerabilities, within a timeframe that does not allow for complete
remediation between incidents. The second assumption is that data is stolen once; SOS's
data may have been exfiltrated on two separate occasions by two separate groups, each
with its own distribution channels and monetization strategies.
The chronology raises critical questions about whether the LockBit and Meow compromises
were truly independent or whether the second attack exploited a vulnerability that was
insufficiently remediated after the first. There are several plausible scenarios. First,
LockBit may have gained access through one vulnerability (e.g., a compromised VPN
credential) and Meow through a different one (e.g., a separate unpatched system),
representing genuinely independent attacks. Second, LockBit may have sold or shared
its access with Meow through initial access broker (IAB) marketplaces, meaning the
same foothold was monetized by two different groups. Third, and perhaps most
concerning, SOS may have failed to fully remediate the initial compromise, allowing
Meow to exploit the same vulnerability or persistent backdoor that LockBit had used.
The LockBit 3.0 attack occurred in the turbulent period surrounding Operation Cronos.
LockBit had been the most prolific ransomware operation globally, responsible for
approximately 1,700 attacks since 2020. The February 2024 law enforcement operation
seized LockBit's infrastructure, arrested associates, and obtained decryption
keys. However, LockBit's leader (“LockBitSupp”) re-established
operations within days, and the group continued claiming victims through the spring
of 2024. The SOS listing on April 10 - approximately two months after Operation
Cronos - may represent either a pre-disruption attack that was only publicly
listed afterwards, or a post-disruption attack demonstrating the group's
resilience. Either way, the two-day negotiation deadline imposed on SOS was aggressively
short, consistent with LockBit's high-pressure tactics.
The Meow ransomware group's approach represents a distinct evolution in
ransomware economics. Rather than demanding a ransom from the victim with the threat
of publishing the data, Meow listed the 800MB data pack for sale to any buyer willing
to pay. This data-brokering model acknowledges a practical reality: many victims never
pay ransoms, and the threat of publication may not generate sufficient leverage if the
victim has already experienced a public breach (as SOS had through the LockBit listing
four months earlier). By selling the data directly, Meow monetizes the stolen
information regardless of the victim's response, and the data ends up with
buyers who may have specific uses for employee passport scans, client information,
and financial documents - including nation-state intelligence services, competing
businesses, or organized crime groups.
The oilfield services sector in Oman is a critical component of the national economy,
and the data held by companies like SOS has strategic significance beyond its commercial
value. Client information reveals which oil and gas operators are active in specific
concession areas, what services they require, and what they pay for them. Contract
details expose the commercial terms that govern Oman's energy production
relationships. Payment documents map the financial flows within the sector. For a
foreign intelligence service or competing national oil company, this information
provides granular insight into Oman's energy production capabilities and
commercial structures.
## Regulatory Analysis
The double attack on SOS creates an unprecedented regulatory scenario under Oman's
PDPL. Both incidents occurred during the PDPL transition period (the law entered force
February 2023, with full enforcement scheduled for February 5, 2026), but the
regulatory implications of being attacked twice by different groups raise questions
that the law's drafters may not have explicitly anticipated.
Under Article 19, each breach triggers an independent notification obligation. The
LockBit attack in April 2024 would have required notification to MTCIT within 72
hours, and the Meow attack in August 2024 would have triggered a second, separate
notification. The fact that the same organization experienced two breaches within five
months would likely elevate MTCIT's scrutiny of the organization's security
posture, as the second breach could be interpreted as evidence that the remediation
following the first breach was inadequate. This pattern of recurrent breach is precisely
the scenario that data protection regulators globally treat with the least tolerance.
The Meow group's data-brokering model introduces a novel regulatory complication.
When stolen data is offered for sale to any buyer rather than held for ransom, the
potential harm to data subjects is amplified because the data may be acquired by
multiple buyers with different malicious objectives. The PDPL's breach
notification requirements mandate disclosure of the “likely consequences”
of the breach, and when the data is being sold on the open market, those consequences
become more severe and less predictable than in a traditional ransom scenario. SOS
would need to advise affected individuals that their passport scans, dates of birth,
and employment records are available for purchase by unknown parties, a notification
that is substantially more alarming than reporting a contained breach.
The exposure of passport scans deserves particular regulatory attention. Passport
data falls within the most sensitive categories of personal data under any data
protection framework, and its compromise creates risks that persist for the validity
period of the document (typically 10 years). Under the PDPL, the processing of
sensitive personal data requires enhanced safeguards, and unauthorized access to
passport scans would attract penalties in the OMR 20,000 to OMR 100,000 range for
unlawful sensitive data processing. The fact that these scans are now available for
sale on the dark web means that the harm is ongoing and will persist until every
affected employee has obtained a replacement passport - a process that involves
cost, time, and practical difficulty, particularly for expatriate workers.
The cumulative penalty exposure for two breaches within five months is significant.
Each breach independently triggers potential penalties: OMR 15,000 to OMR 20,000 for
each failure to notify (if notifications were not made), OMR 20,000 to OMR 100,000
for each instance of compromised sensitive personal data, and potentially OMR 100,000
to OMR 500,000 if cross-border transfer violations are identified. The PDPL does not
explicitly address aggravating factors for repeat breaches, but regulatory precedent
from other jurisdictions consistently treats recurrent security failures as evidence
of systemic inadequacy, justifying penalties at the upper end of the available range.
The regulatory analysis must also consider the oilfield services sector's
relationship with the Ministry of Energy and Minerals and the broader national
cybersecurity framework. Companies operating in Oman's energy sector are
subject to operational regulations that may include cybersecurity requirements beyond
the PDPL's general framework. The double-hit on SOS should prompt sector-specific
regulatory intervention to ensure that all oilfield services providers meet minimum
cybersecurity standards commensurate with the sensitivity of their operations and
the data they process.
## What Should Have Been Done
The double ransomware attack on SOS presents a case study in what happens when an
organization fails to achieve comprehensive remediation after an initial breach. The
following recommendations address both the prevention of the initial compromise and,
critically, the post-incident remediation that should have prevented the second attack.
First, after the LockBit attack in April 2024, SOS should have engaged in a
comprehensive post-incident review that included full forensic analysis, complete
credential rotation, vulnerability remediation across all systems, and an independent
security assessment to validate remediation effectiveness. The fact that Meow was able
to compromise the organization four and a half months later strongly suggests that the
post-LockBit remediation was either incomplete, insufficiently thorough, or addressed
symptoms rather than root causes. Post-breach remediation must include: identification
and closure of all attacker access paths (including secondary backdoors), rotation of
every credential in the environment (not just those known to be compromised), patching
of all known vulnerabilities, and validation through independent penetration testing.
Second, the organization should have implemented robust data loss prevention (DLP)
and network monitoring specifically calibrated to detect data exfiltration patterns.
Both the LockBit and Meow attacks involved data exfiltration - the LockBit
double-extortion model requires pre-encryption data theft, and Meow's entire
business model is based on selling stolen data. DLP solutions configured to detect
outbound transfers of sensitive data patterns (passport numbers, dates of birth,
financial document formats) would have created a detection opportunity at the
exfiltration stage, even if the initial access and lateral movement went undetected.
Third, privileged access management (PAM) should have been implemented to control
access to the sensitive data categories that were ultimately exfiltrated. Passport
scans, employee personal records, client contracts, and financial documents should
not be accessible from general-purpose user accounts. PAM solutions enforce
just-in-time access provisioning, require multi-factor authentication for privileged
operations, and create audit trails that enable rapid detection of anomalous access
patterns. The breadth of data categories exfiltrated by Meow indicates that the
attacker was able to access multiple sensitive repositories, suggesting either
overly permissive access controls or a compromised privileged account without
adequate monitoring.
Fourth, SOS should have implemented network segmentation that isolated sensitive data
repositories from general-purpose IT infrastructure and internet-facing systems. The
passport scans, client contracts, and financial documents should have been stored in
hardened, segmented network zones with strict access controls, enhanced monitoring,
and limited connectivity to the broader network. Even if an attacker gains initial
access through a compromised endpoint or VPN, network segmentation creates barriers
that increase the attacker's dwell time, generate detectable lateral movement
patterns, and limit the volume and categories of data accessible from any single
point of compromise.
Fifth, the organization should have engaged in threat intelligence-driven defense
that specifically monitored for indicators of compromise associated with LockBit,
Meow, and other ransomware groups targeting the energy sector. After the LockBit
attack, SOS should have been monitoring dark web forums and initial access broker
marketplaces for any sale of access to its infrastructure. It is common for
ransomware groups to sell residual access after their primary operation, and an
organization that has been compromised once should assume that access to its
infrastructure may be available for purchase by other threat actors.
Sixth, the organization should have implemented endpoint detection and response (EDR)
with automated containment capabilities across all endpoints and servers. Both LockBit
3.0 and the Conti-based Meow variant exhibit well-documented behavioral patterns that
EDR solutions are designed to detect and contain. The deployment of EDR should have
been a priority remediation step after the LockBit attack, providing automated defense
against the Meow attack that followed. EDR solutions that integrate with SIEM
platforms and SOAR playbooks can automate the response to ransomware indicators,
isolating affected endpoints and blocking lateral movement within seconds of detection.
Finally, the fundamental lesson of the SOS double-hit is that incident response does
not end with recovery from the immediate attack. The period following a ransomware
compromise is the organization's most vulnerable window, because the attacker
may have established persistence mechanisms that survive initial remediation, the
organization's infrastructure may have been weakened by the attack and the
recovery process, and the public listing on a ransomware leak site signals to other
threat actors that the organization is a viable target. Post-incident security must
be treated as an elevated defense posture, with enhanced monitoring, accelerated
remediation timelines, and continuous threat hunting for a period of at least six
to twelve months following the initial attack.
The double ransomware attack on Special Oilfield Services - first by LockBit
3.0 and then by Meow within five months - represents one of the most damaging
breach patterns an organization can experience. It signals to the market, to
regulators, and to future attackers that the organization's security posture
is fundamentally inadequate. Under Oman's PDPL, each breach triggers
independent notification and penalty obligations, and the recurrence of the breach
amplifies regulatory scrutiny. For oilfield services companies handling passport
scans, client data, and financial records, the expectation of “appropriate
technical and organizational measures” must include the capability to prevent
not just the first attack, but the second.