Lessons from Mack Energy’s Ransomware Attack – How to Stay Ahead of Threats Like Cicada3301

Another Day, Another Ransomware Attack

On July 9, 2025, Mack Energy Corporation, a New Mexico-based independent oil and gas company, detected a ransomware attack that has since been tied to the Cicada3301 cybercrime group. The attack reportedly resulted in the theft of 3.1 terabytes of sensitive data, including full names and Social Security numbers, with at least 413 Texans confirmed to be affected. The breach was disclosed to the Texas Attorney General’s office months later, on November 7, 2025, highlighting the delayed and complex nature of breach reporting.

While Mack Energy has not disclosed whether a ransom was paid or demanded, the attack exposes a growing concern for the oil and gas (ONG) sector: how to protect critical data and infrastructure in an era where ransomware groups are becoming more sophisticated and organized.

The Cicada3301 ransomware, as its name implies, draws inspiration from one of the internet’s most mysterious puzzles, and its developers have implemented advanced techniques that allow it to bypass traditional Endpoint Detection and Response (EDR) systems. This attack underscores the urgent need for proactive measures to prevent ransomware before it can disrupt operations, compromise sensitive data, and harm reputations.

 What Happened to Mack Energy Corporation?

Cicada3301 ransomware, written in Rust, has gained a reputation for its sophisticated evasion tactics and destructive capabilities. The attack against Mack Energy followed similar patterns observed in previous Cicada3301 campaigns:

• Data Theft: The attackers exfiltrated sensitive data, including personally identifiable information (PII).
• Operational Disruption: While details on the ransom demand remain undisclosed, the volume of stolen data and the breach of trust are significant consequences.
• Sector-Specific Targeting: The oil and gas sector, like many critical infrastructure industries, is a high-value target for ransomware groups due to its reliance on continuous operations and the high cost of downtime.

What Makes Cicada3301 Ransomware Different?

Morphisec’s research into Cicada3301 has revealed several unique characteristics that make it particularly challenging to detect and stop using traditional security tools:

• EDR Evasion: Cicada3301 uses advanced techniques, such as tampering with Endpoint Detection and Response (EDR) systems, rendering them ineffective against its attacks.
• Credential Exploitation: The ransomware integrates compromised credentials directly into its code, enabling lateral movement and remote execution without raising alarms.
• Rust-Based Design: Like other emerging ransomware families (e.g., BlackCat), Cicada3301 is written in Rust, a language known for its efficiency and cross-platform compatibility.
• Advanced Tampering: Techniques like shadow copy deletion, service stopping, and log clearing ensure maximum encryption impact while erasing traces of the attack.

These tactics are part of a broader trend in ransomware evolution, where threat actors leverage fileless malware, advanced encryption techniques, and social engineering to bypass traditional defenses.

How This Attack Could Have Been Prevented

The Mack Energy ransomware incident illustrates why detection-based security solutions alone are no longer sufficient. As attackers evolve, so must our defenses. Preventing ransomware like Cicada3301 requires a proactive, prevention-first approach that stops attacks before they can execute.

Here’s how Morphisec’s Automated Moving Target Defense (AMTD) technology addresses the challenges posed by advanced ransomware campaigns:

Prevention at the Core

Morphisec doesn’t rely on detection or signatures; instead, it prevents malware from executing by creating a dynamically shifting attack surface. This makes it nearly impossible for ransomware, including Cicada3301, to find and exploit vulnerabilities.

Protection Without Updates

While Cicada3301 bypassed a leading EDR solution, Morphisec’s MTD blocked it in a customer environment without requiring updates or prior knowledge of the ransomware. This highlights the importance of solutions that remain effective against zero-day and unknown threats.

Lightweight and Seamless Deployment

Morphisec’s solution is designed to integrate seamlessly into existing environments without impacting performance—a critical factor for industries like oil and gas, where downtime is costly and unacceptable.

Resilience Against Advanced Tactics

From stopping lateral movement to preventing shadow copy deletion and tampering, Morphisec neutralizes the advanced tactics used by Cicada3301 and similar ransomware families.

By proactively stopping ransomware like Cicada3301, organizations can avoid the devastating financial, operational, and reputational consequences of an attack.   

Lessons for the Oil and Gas Industry  

The Mack Energy breach is a stark reminder that the oil and gas sector remains a prime target for ransomware groups. With critical infrastructure at stake, it’s essential for security leaders to adopt strategies that prioritize prevention over remediation.

Key takeaways for oil and gas companies:

• Modernize Endpoint Security: Traditional EDR tools are no longer enough. Investing in prevention-first solutions like Morphisec ensures that ransomware is stopped before it can execute.
• Protect Critical Data: Sensitive information, such as employee PII or proprietary operational data, must be safeguarded with advanced encryption and storage protections to prevent exfiltration.
• Prepare for the Worst: While prevention is critical, having a robust incident response plan in place ensures that businesses can recover quickly and minimize downtime in the event of an attack.

How Morphisec Can Help  

Morphisec has a proven track record of stopping ransomware campaigns like Cicada3301 in their tracks. Our patented Automated Moving Target Defense technology ensures that your organization remains protected, even against the most advanced threats.

To learn more about how Morphisec can help your organization defend against ransomware:

• Watch our video demo: Cicada3301 Ransomware Attack Demo
• Read our blog post: Decoding the Puzzle: Cicada3301 Ransomware Threat Analysis
• Download our detailed threat analysis report: Threat Analysis: Cicada3301 Ransomware

Start Now – Proactive Protection Starts Today

As ransomware groups like Cicada3301 continue to evolve, organizations need to stay one step ahead. At Morphisec, we’re committed to helping businesses like yours achieve resilience against advanced threats with a prevention-first approach.

About the author

Brad LaPorte

Chief Marketing Officer

Brad LaPorte is a seasoned cybersecurity expert and former military officer specializing in cybersecurity and military intelligence for the United States military and allied forces. With a distinguished career at Gartner as a top-rated research analyst, Brad was instrumental in establishing key industry categories such as Attack Surface Management (ASM), Extended Detection & Response (XDR), Digital Risk Protection (DRP), and the foundational elements of Continuous Threat Exposure Management (CTEM). His forward-thinking approach led to the inception of Secureworks’ MDR service and the EDR product Red Cloak—industry firsts. At IBM, he spearheaded the creation of the Endpoint Security Portfolio, as well as MDR, Vulnerability Management, Threat Intelligence, and Managed SIEM offerings, further solidifying his reputation as a visionary in cybersecurity solutions years ahead of its time.