Cyber criminals behind the REvil/Sodinokibi ransomware have published online the information stolen from Elexon, the organization that helps balance and settle the UK’s electricity market.

In mid-May Elexon has revealed it has suffered a cyber attack that affected its internal networks and forced the company to take down its email server. According to Elexon, the systems used to manage the UK’s electricity transit were not impacted. At the time, the company did not disclose the nature of the cyber attack, or what malware was involved.

However, security researchers from Bad Packets reported that Elexon had been running an outdated version of Pulse Secure VPN server, and cyber criminals could have exploited vulnerabilities in the software to get access to the company's internal systems.

Now, it appears that Elexon had been a victim of the REvil/Sodinokibi ransomware that stole internal data during the May 14 attack. The operators behind the REvil/Sodinokibi operation have published 1,280 files allegedly stolen from Elexon on their leak site.

According to the cyber security firm Cyble, the exposed data includes highly sensitive and confidential files, as well as snapshots of user’s passports, enterprise renewal application forms, enterprises analysis data, and much more.

Because Elexon did not pay the ransom and restored operation from backups, the REvil/Sodinokibi operators decided to leak the stolen files.

REvil/Sodinokibi is a ransomware that encrypts files on the computers and demands a ransom to recover them. However, the hackers also steal data from victims and then threaten to made stolen data public if the victim refuses to pay the required amount of ransom.