Quezon Power (Philippines) Limited Co Allegedly Targeted by Devman Ransomware Group, Data Leak Imminent
Quezon Power Philippines Limited Company, a major operator in the country’s power generation sector, has been named by the Devman Ransomware Group as an alleged victim of a cyberattack. The group claims to have obtained approximately 200GB of internal data and has warned that the files will be publicly released within two days, according to its leak site.
Quezon Power (Philippines), Limited Co. owns and operates a 460-megawatt net coal-fired power plant and a 31-kilometer transmission line located in Barangay Cagsiay 1, Mauban, Quezon, making the incident particularly sensitive due to its role in critical energy infrastructure.
Several screenshots released by Devman allegedly show internal systems belonging to Quezon Power. These images include Windows-based file servers, shared network drives, accounting and project folders, internal monitoring logs, and backup-related files. Other screenshots appear to show a VMware ESXi virtualization environment and Windows Server management interfaces, suggesting access to backend infrastructure rather than isolated endpoints.
https://iili.io/f7r4Ue1.png
https://iili.io/f7r48dB.png
https://iili.io/f7r4gmF.png
From a technical standpoint, the screenshots indicate access to enterprise-level systems. One image shows a Windows Server file system with structured directories containing accounting data, scanned documents, project files, monitoring logs, and backup archives, pointing to a central file server used across the organization. Another screenshot displays a VMware ESXi 6.7 hypervisor running on a Dell PowerEdge server, a platform typically used to host multiple virtual machines such as domain controllers, application servers, and databases; access at this layer can provide visibility into several critical systems simultaneously. Additional images show the Windows Server 2016 Local Server dashboard, with remote management enabled, multiple network interfaces, and domain membership visible, suggesting administrative or near-administrative access within the internal network. While the screenshots do not show yet live system disruption, they imply broad internal access consistent with a large-scale compromise.
According to Devman, the breach involved access to both IT and operational technology environments, including industrial control systems (ICS), SCADA-related files, network-attached storage (NAS), and backup systems, potentially limiting recovery options. The group claims to have obtained employee personal and HR data, internal projects, and work logs from power plant operations, totaling around 200GB of data. Devman further alleges limited access to employee mobile phones and claims that Quezon Power is currently operating without active SCADA, stating that Sector U2 of the plant has been severely impacted. These claims have not been independently verified, and no official confirmation of operational disruption has been issued.
As of this writing, Quezon Power Philippines Limited Company has not released a public statement confirming or denying the incident. The authenticity of the screenshots, the extent of data exposure, and the operational impact described by the threat actor remain unverified.
Cyber incidents involving power generation companies extend beyond corporate data loss. Energy facilities are classified as critical infrastructure, and alleged exposure of internal servers, backups, employee data, and operational documentation may increase risks related to safety, reliability, and future cyber threats.
