Oltenia Energy Complex, Administrația Națională Apele Române and Electrica Group: Romanian energy provider hit by Gentlemen ransomware attack

**Romania’s Largest Coal Energy Provider Hit by Ransomware Attack**

Romania’s largest coal-based energy producer, Oltenia Energy Complex (Complexul Energetic Oltenia), suffered a ransomware attack on December 26, disrupting its IT infrastructure. The state-owned company, which employs 19,000 people and supplies 30% of Romania’s electricity, reported that the incident encrypted files and temporarily disabled critical systems, including ERP platforms, document management tools, email services, and its website.

While the attack partially affected operations, the company confirmed that the National Energy System remained stable. IT teams immediately began restoring systems from backups, though the full impact—including potential data theft—is still under assessment. Authorities, including the National Cyber Security Directorate, Ministry of Energy, and DIICOT (Romania’s cybercrime investigation unit), were notified, and a criminal complaint was filed.

The attack has been attributed to the Gentlemen ransomware group, which emerged in August 2024 and is known for exploiting compromised credentials and exposed services. The gang typically leaves README-GENTLEMEN.txt ransom notes and appends the .7mtzhh extension to encrypted files. Though the group has listed nearly 40 victims on its leak site, Oltenia Energy Complex has not yet appeared, suggesting possible ransom negotiations.

This incident follows another recent attack on Romanian Waters (Administrația Națională Apele Române), the country’s water management authority, which disrupted 1,000 systems across 10 regional offices earlier in December—though core operations remained unaffected. Romania has faced a surge in ransomware attacks, including a 2023 breach of Electrica Group by the Lynx gang and a February 2024 Backmydata ransomware attack that forced over 100 hospitals offline.

Source: https://www.bleepingcomputer.com/news/security/romanian-energy-provider-hit-by-gentlemen-ransomware-attack/

Complexul Energetic Oltenia cybersecurity rating report: https://www.rankiteo.com/company/complexul-energetic-oltenia

The Romanian National Cyber Security Directorate cybersecurity rating report: https://www.rankiteo.com/company/directoratul-national-de-securitate-cibernetica

Hidroelectrica cybersecurity rating report: https://www.rankiteo.com/company/hidroelectrica-s-a

"id": "COMDIRHID1767023731",
"linkid": "complexul-energetic-oltenia, directoratul-national-de-securitate-cibernetica, hidroelectrica-s-a",
"type": "Ransomware",
"date": "12/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"

{'affected_entities': [{'industry': 'Energy',
                        'location': 'Romania',
                        'name': 'Oltenia Energy Complex (Complexul Energetic '
                                'Oltenia)',
                        'size': '19,000+ employees',
                        'type': 'Energy Producer'}],
 'attack_vector': 'Compromised credentials and Internet-exposed services',
 'data_breach': {'data_encryption': 'Yes (.7mtzhh file extension)',
                 'data_exfiltration': 'Under assessment',
                 'type_of_data_compromised': 'Documents and files'},
 'date_detected': '2023-12-26',
 'description': 'A ransomware attack hit Oltenia Energy Complex (Complexul '
                "Energetic Oltenia), Romania's largest coal-based energy "
                'producer, on the second day of Christmas, taking down its IT '
                'infrastructure. Several computer applications became '
                'temporarily unavailable, including ERP systems, document '
                "management applications, the company's email service, and "
                "website. The company's activity was partially affected "
                'without jeopardizing the operation of the National Energy '
                'System.',
 'impact': {'data_compromised': 'Documents and files encrypted',
            'operational_impact': 'Partially affected, but National Energy '
                                  'System operation not jeopardized',
            'systems_affected': 'ERP systems, document management '
                                'applications, email service, website'},
 'initial_access_broker': {'entry_point': 'Compromised credentials and '
                                          'Internet-exposed services'},
 'investigation_status': 'Ongoing',
 'motivation': 'Financial gain',
 'ransomware': {'data_encryption': 'Yes',
                'data_exfiltration': 'Under assessment',
                'ransomware_strain': 'Gentlemen'},
 'references': [{'source': 'Trend Micro'}],
 'regulatory_compliance': {'legal_actions': 'Criminal complaint filed with '
                                            'DIICOT',
                           'regulatory_notifications': 'Reported to National '
                                                       'Cyber Security '
                                                       'Directorate, Ministry '
                                                       'of Energy, and other '
                                                       'relevant authorities'},
 'response': {'communication_strategy': 'Public disclosure of incident details',
              'containment_measures': 'IT teams started rebuilding affected '
                                      'systems on new infrastructure using '
                                      'backups',
              'incident_response_plan_activated': 'Yes',
              'law_enforcement_notified': 'Yes',
              'recovery_measures': 'Using existing backups',
              'remediation_measures': 'Rebuilding affected systems on new '
                                      'infrastructure'},
 'threat_actor': 'Gentlemen ransomware operation',
 'title': 'Ransomware Attack on Oltenia Energy Complex',
 'type': 'Ransomware'}