Ransomware Group: QILIN

VICTIM NAME: Uganda Electricity Transmission Company Limited

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the QILIN Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

Uganda Electricity Transmission Company Limited (UETCL) is listed as the victim in a leak page attributed to the threat actor group “qilin.” The post is dated August 12, 2025, and is described as a data-leak event rather than a traditional encryption incident. The page portrays UETCL as the operator responsible for delivering electricity within Uganda and to neighboring regions, and it asserts alleged arrangements with foreign technology providers in which equipment purchases are paired with a share of profits, implying potential foreign influence over critical infrastructure. The post suggests that published documents may substantiate these claims and warns that leaked information could enable attackers to cause blackouts by exploiting exposed data. No specific ransom amount appears in the post, though a claim URL is indicated. PII such as emails has been redacted in the visible content, and the page references identifiers such as a TOX value and an FTP line that allegedly contains credentials, which are not shown here.

The leak page includes 11 image attachments, described in the annotations as visual materials likely consisting of internal documents or related visuals. These images are hosted on onion addresses (Tor), with the actual links defanged in this summary. The presence of multiple images supports the post’s aim of providing purported evidence for its claims, though the specific contents of the images are not detailed in this overview. In addition to the image set, the page signals that a claim URL exists, reinforcing the narrative of a data-exfiltration event, but it does not present a disclosed ransom figure within the posted content.

Sanitization and risk notes: This summary preserves the victim name while redacting personal contact details (emails) and other potentially sensitive identifiers. The language of the post employs the characteristic risk rhetoric of ransomware leak pages, including allegations about foreign involvement and potential impacts on critical infrastructure; such claims should be treated as unverified until corroborated. The post date (August 12, 2025) is treated as the publication date, as no separate compromise date is provided in the data. The inclusion of multiple images and a claim link underscores the intent to present visual and documental evidence, highlighting the ongoing risk to energy-sector targets from leak-based extortion campaigns.