Special Oilfield Services Company LLC (SOS), an Oman-based oilfield services provider, suffered the rare and damaging distinction of being targeted by two separate ransomware groups within the same year. LockBit 3.0 listed SOS on its leak site on April 10, 2024, with a two-day deadline for ransom negotiations.
Key Facts
- WhatSOS hit by LockBit 3.0 and Meow ransomware within five months.
- WhoSOS employees, clients, and oilfield contractors in Oman.
- Data ExposedPassport scans, client contracts, payment documents, and certifications.
- OutcomeDual PDPL notification obligations; 800MB data pack sold by Meow.
What Was Exposed
- Employee dates of birth combined with other PII, providing the foundational elements for identity fraud and social engineering campaigns targeting SOS personnel
- Passport scans for employees - complete identity document images that enable document forgery, identity theft, and fraudulent border crossings, with particular risk for expatriate workers whose immigration status depends on valid documentation
- Client information revealing SOS's commercial relationships with oil and gas operators in Oman, including contact details, project associations, and contractual arrangements that could be exploited for targeted spear-phishing or competitive intelligence
- Payment documents including invoices, purchase orders, and payment confirmations that expose the company's financial flows, pricing structures, and banking relationships
- Contracts and commercial agreements detailing the terms, conditions, and financial arrangements between SOS and its clients, potentially including confidentiality clauses whose violation by the breach itself creates additional legal exposure
- Professional certifications for employees, including safety qualifications, equipment operation licenses, and industry-specific credentials that are required for oilfield operations and whose compromise could enable unqualified individuals to falsely claim certified status
The double-hit scenario facing SOS is instructive for the entire cybersecurity community because it demolishes several common assumptions about ransomware attacks. The first assumption is that a ransomware attack is a singular event - that an organization gets attacked, responds, recovers, and moves on. The SOS case demonstrates that the same organization can be targeted by multiple groups, potentially exploiting the same or related vulnerabilities, within a timeframe that does not allow for complete remediation between incidents.
The second assumption is that data is stolen once; SOS's data may have been exfiltrated on two separate occasions by two separate groups, each with its own distribution channels and monetization strategies.
The chronology raises critical questions about whether the LockBit and Meow compromises were truly independent or whether the second attack exploited a vulnerability that was insufficiently remediated after the first. There are several plausible scenarios. First, LockBit may have gained access through one vulnerability (e.g., a compromised VPN credential) and Meow through a different one (e.g., a separate unpatched system), representing genuinely independent attacks.
Second, LockBit may have sold or shared its access with Meow through initial access broker (IAB) marketplaces, meaning the same foothold was monetized by two different groups. Third, and perhaps most concerning, SOS may have failed to fully remediate the initial compromise, allowing Meow to exploit the same vulnerability or persistent backdoor that LockBit had used.
The LockBit 3.0 attack occurred in the turbulent period surrounding Operation Cronos.
LockBit had been the most prolific ransomware operation globally, responsible for approximately 1,700 attacks since 2020. The February 2024 law enforcement operation seized LockBit's infrastructure, arrested associates, and obtained decryption keys.
However, LockBit's leader (“LockBitSupp”) re-established operations within days, and the group continued claiming victims through the spring of 2024. The SOS listing on April 10 - approximately two months after Operation Cronos - may represent either a pre-disruption attack that was only publicly listed afterwards, or a post-disruption attack demonstrating the group's resilience. Either way, the two-day negotiation deadline imposed on SOS was aggressively short, consistent with LockBit's high-pressure tactics.
The Meow ransomware group's approach represents a distinct evolution in ransomware economics. Rather than demanding a ransom from the victim with the threat of publishing the data, Meow listed the 800MB data pack for sale to any buyer willing to pay. This data-brokering model acknowledges a practical reality: many victims never pay ransoms, and the threat of publication may not generate sufficient leverage if the victim has already experienced a public breach (as SOS had through the LockBit listing four months earlier).
By selling the data directly, Meow monetizes the stolen information regardless of the victim's response, and the data ends up with buyers who may have specific uses for employee passport scans, client information, and financial documents - including nation-state intelligence services, competing businesses, or organized crime groups.
The oilfield services sector in Oman is a critical component of the national economy, and the data held by companies like SOS has strategic significance beyond its commercial value. Client information reveals which oil and gas operators are active in specific concession areas, what services they require, and what they pay for them. Contract details expose the commercial terms that govern Oman's energy production relationships. Payment documents map the financial flows within the sector.
For a foreign intelligence service or competing national oil company, this information provides granular insight into Oman's energy production capabilities and commercial structures.
Regulatory Analysis
The double attack on SOS creates an unprecedented regulatory scenario under Oman's PDPL. Both incidents occurred during the PDPL transition period (the law entered force February 2023, with full enforcement scheduled for February 5, 2026), but the regulatory implications of being attacked twice by different groups raise questions that the law's drafters may not have explicitly anticipated.
Under Article 19, each breach triggers an independent notification obligation. The LockBit attack in April 2024 would have required notification to MTCIT within 72 hours, and the Meow attack in August 2024 would have triggered a second, separate notification. The fact that the same organization experienced two breaches within five months would likely elevate MTCIT's scrutiny of the organization's security posture, as the second breach could be interpreted as evidence that the remediation following the first breach was inadequate.
This pattern of recurrent breach is precisely the scenario that data protection regulators globally treat with the least tolerance.
The Meow group's data-brokering model introduces a novel regulatory complication.
When stolen data is offered for sale to any buyer rather than held for ransom, the potential harm to data subjects is amplified because the data may be acquired by multiple buyers with different malicious objectives. The PDPL's breach notification requirements mandate disclosure of the “likely consequences”
of the breach, and when the data is being sold on the open market, those consequences become more severe and less predictable than in a traditional ransom scenario. SOS would need to advise affected individuals that their passport scans, dates of birth, and employment records are available for purchase by unknown parties, a notification that is substantially more alarming than reporting a contained breach.
The exposure of passport scans deserves particular regulatory attention. Passport data falls within the most sensitive categories of personal data under any data protection framework, and its compromise creates risks that persist for the validity period of the document (typically 10 years). Under the PDPL, the processing of sensitive personal data requires enhanced safeguards, and unauthorized access to passport scans would attract penalties in the OMR 20,000 to OMR 100,000 range for unlawful sensitive data processing.
The fact that these scans are now available for sale on the dark web means that the harm is ongoing and will persist until every affected employee has obtained a replacement passport - a process that involves cost, time, and practical difficulty, particularly for expatriate workers.
The cumulative penalty exposure for two breaches within five months is significant.
Each breach independently triggers potential penalties: OMR 15,000 to OMR 20,000 for each failure to notify (if notifications were not made), OMR 20,000 to OMR 100,000 for each instance of compromised sensitive personal data, and potentially OMR 100,000 to OMR 500,000 if cross-border transfer violations are identified. The PDPL does not explicitly address aggravating factors for repeat breaches, but regulatory precedent from other jurisdictions consistently treats recurrent security failures as evidence of systemic inadequacy, justifying penalties at the upper end of the available range.
The regulatory analysis must also consider the oilfield services sector's relationship with the Ministry of Energy and Minerals and the broader national cybersecurity framework. Companies operating in Oman's energy sector are subject to operational regulations that may include cybersecurity requirements beyond the PDPL's general framework. The double-hit on SOS should prompt sector-specific regulatory intervention to ensure that all oilfield services providers meet minimum cybersecurity standards commensurate with the sensitivity of their operations and the data they process.
What Should Have Been Done
The double ransomware attack on SOS presents a case study in what happens when an organization fails to achieve comprehensive remediation after an initial breach. The following recommendations address both the prevention of the initial compromise and, critically, the post-incident remediation that should have prevented the second attack.
First, after the LockBit attack in April 2024, SOS should have engaged in a comprehensive post-incident review that included full forensic analysis, complete credential rotation, vulnerability remediation across all systems, and an independent security assessment to validate remediation effectiveness. The fact that Meow was able to compromise the organization four and a half months later strongly suggests that the post-LockBit remediation was either incomplete, insufficiently thorough, or addressed symptoms rather than root causes.
Post-breach remediation must include: identification and closure of all attacker access paths (including secondary backdoors), rotation of every credential in the environment (not just those known to be compromised), patching of all known vulnerabilities, and validation through independent penetration testing.
Second, the organization should have implemented robust data loss prevention (DLP) and network monitoring specifically calibrated to detect data exfiltration patterns.
Both the LockBit and Meow attacks involved data exfiltration - the LockBit double-extortion model requires pre-encryption data theft, and Meow's entire business model is based on selling stolen data. DLP solutions configured to detect outbound transfers of sensitive data patterns (passport numbers, dates of birth, financial document formats) would have created a detection opportunity at the exfiltration stage, even if the initial access and lateral movement went undetected.
Third, privileged access management (PAM) should have been implemented to control access to the sensitive data categories that were ultimately exfiltrated. Passport scans, employee personal records, client contracts, and financial documents should not be accessible from general-purpose user accounts. PAM solutions enforce just-in-time access provisioning, require multi-factor authentication for privileged operations, and create audit trails that enable rapid detection of anomalous access patterns.
The breadth of data categories exfiltrated by Meow indicates that the attacker was able to access multiple sensitive repositories, suggesting either overly permissive access controls or a compromised privileged account without adequate monitoring.
Fourth, SOS should have implemented network segmentation that isolated sensitive data repositories from general-purpose IT infrastructure and internet-facing systems. The passport scans, client contracts, and financial documents should have been stored in hardened, segmented network zones with strict access controls, enhanced monitoring, and limited connectivity to the broader network.
Even if an attacker gains initial access through a compromised endpoint or VPN, network segmentation creates barriers that increase the attacker's dwell time, generate detectable lateral movement patterns, and limit the volume and categories of data accessible from any single point of compromise.
Fifth, the organization should have engaged in threat intelligence-driven defense that specifically monitored for indicators of compromise associated with LockBit, Meow, and other ransomware groups targeting the energy sector. After the LockBit attack, SOS should have been monitoring dark web forums and initial access broker marketplaces for any sale of access to its infrastructure.
It is common for ransomware groups to sell residual access after their primary operation, and an organization that has been compromised once should assume that access to its infrastructure may be available for purchase by other threat actors.
Sixth, the organization should have implemented endpoint detection and response (EDR) with automated containment capabilities across all endpoints and servers. Both LockBit 3.0 and the Conti-based Meow variant exhibit well-documented behavioral patterns that EDR solutions are designed to detect and contain. The deployment of EDR should have been a priority remediation step after the LockBit attack, providing automated defense against the Meow attack that followed.
EDR solutions that integrate with SIEM platforms and SOAR playbooks can automate the response to ransomware indicators, isolating affected endpoints and blocking lateral movement within seconds of detection.
Finally, the fundamental lesson of the SOS double-hit is that incident response does not end with recovery from the immediate attack. The period following a ransomware compromise is the organization's most vulnerable window, because the attacker may have established persistence mechanisms that survive initial remediation, the organization's infrastructure may have been weakened by the attack and the recovery process, and the public listing on a ransomware leak site signals to other threat actors that the organization is a viable target.
Post-incident security must be treated as an elevated defense posture, with enhanced monitoring, accelerated remediation timelines, and continuous threat hunting for a period of at least six to twelve months following the initial attack.
The double ransomware attack on Special Oilfield Services - first by LockBit 3.0 and then by Meow within five months - represents one of the most damaging breach patterns an organization can experience. It signals to the market, to regulators, and to future attackers that the organization's security posture is fundamentally inadequate. Under Oman's PDPL, each breach triggers independent notification and penalty obligations, and the recurrence of the breach amplifies regulatory scrutiny.
For oilfield services companies handling passport scans, client data, and financial records, the expectation of “appropriate technical and organizational measures” must include the capability to prevent not just the first attack, but the second.