Petrobras, the Brazilian petroelum giant, is examining a claim from the Everest ransomware group, which alleges it stole a large volume of technical data from the company’s exploration systems. The group posted samples on its leak site and stated that it obtained about ninety gigabytes of material connected to seismic surveys in Brazil. The samples include file names and metadata referencing seismic nodes, hydrophone depths, and navigation information. Petrobras has not confirmed the intrusion or the authenticity of the files. The company has also not said whether operational systems were affected.
Security researchers who reviewed the posted samples said the files appear to originate from geology and geophysics systems rather than from business support platforms. These systems store seismic survey results used to guide exploration and drilling decisions in offshore regions. The material referenced in the samples includes technical parameters that can indicate survey locations and data acquisition methods. Analysts say the information could hold strategic value because seismic data is considered proprietary within the oil and gas sector. They also noted that there is no indication that the incident disrupted production or active drilling operations.
Everest stated that Petrobras has six days to begin negotiations. The group commonly uses a double extortion approach that combines data theft with threats to publish stolen information. Researchers say Everest has targeted several critical infrastructure organisations this year and has focused on technical data sets linked to engineering, industrial processes, and exploration planning. The group’s model encourages affiliates to leak data even when victims decline to pay. This increases the likelihood that stolen information will circulate on underground forums.
Petrobras has not disclosed which systems might have been accessed or how an attacker could have entered its network. The company said it is evaluating the claim and has not identified any disruption to operational technology environments that support offshore activity. Analysts say that if the data is confirmed to be genuine, the incident may raise questions about the protection of field data systems. Exploration files can influence investment decisions, competitive positioning, and long-term planning in offshore basins. Exposure of those files could reduce confidentiality around strategic projects.
The claim also highlights the broader shift in attacker focus toward high-value technical information held by industrial and energy companies. In previous years, ransomware actors often targeted corporate networks that contained financial records or customer data. Analysts now observe increased attention to engineering files, operational diagrams, and exploration data because these records have long-term usefulness and may carry greater leverage in extortion attempts. The Petrobras claim aligns with this pattern and reflects ongoing threats to energy sector organisations that manage extensive field data environments.
Petrobras has not provided details about containment steps or whether third-party incident responders are involved. The company is expected to review access logs, backups, and vendor connections to determine whether any persistence mechanisms were introduced. Organisations in the oil and gas sector are monitoring the situation and reviewing their own controls for systems that store exploration data, seismic results, and technical project files. Security specialists note that these systems may operate outside traditional corporate networks and therefore require focused attention.