Romania’s Largest Coal Power Producer Crippled by Ransomware Attack

Aegiron 7 mins0

Ransomware Hits Romania’s Power Backbone: Inside the Cyberattack on Oltenia Energy Complex

Attack date: December 26, 2025
Public updates: January 2, 2026
Sector: Energy / Critical Infrastructure

What happened

On the morning of December 26, Romania’s largest coal-based electricity producer, Oltenia Energy Complex, detected a ransomware attack that crippled its internal IT environment. The attack forced the company to immediately disconnect multiple systems to prevent further spread.

While electricity production itself was not affected, the company lost access to core business and administrative systems, including internal management platforms, document repositories, corporate email, and its public-facing website.

Oltenia Energy Complex supplies roughly 30% of Romania’s electricity, making this incident one of the most serious cyber events affecting the country’s energy sector to date.

Who was targeted

Oltenia Energy Complex (Complexul Energetic Oltenia) operates coal mines and thermal power plants that form a backbone of Romania’s national energy supply. The organization is considered critical infrastructure and is overseen by the Romanian Ministry of Energy.

The attack follows a concerning pattern: Romanian energy organizations have increasingly become ransomware targets, including last year’s breach of the Electrica Group.

Who is behind the attack

The intrusion has been attributed to the Gentlemen ransomware group, a relatively new but highly capable cybercriminal operation that emerged in 2025.

Gentlemen is not a mass-spray ransomware crew. They operate with a targeted, hands-on approach, selecting large organizations with complex networks and high pressure to restore operations quickly. The group is known for double extortion, meaning they encrypt systems and steal data before demanding payment.

How the attack likely unfolded

Based on known Gentlemen operations and the symptoms reported by Oltenia, the attack likely followed this sequence:

  1. Initial access
    The attackers gained entry using valid credentials or by exploiting an exposed remote-access service such as a VPN or RDP endpoint.
  2. Silent reconnaissance
    Once inside, they mapped the network, identified key servers, domain controllers, backup systems, and administrative accounts.
  3. Privilege escalation and defense evasion
    The attackers elevated privileges and disabled or bypassed security tools. In other Gentlemen cases, this has involved abusing legitimate signed drivers to neutralize endpoint protection.
  4. Lateral movement
    They moved across the network using built-in administrative tools and remote management software.
  5. Data theft
    Sensitive business and internal data was likely exfiltrated to support extortion pressure.
  6. Encryption and shutdown
    File servers and business applications were encrypted, ransom notes were dropped, and the company was forced to shut down systems to contain the damage.

What systems were impacted

Confirmed affected systems include:

  • Enterprise Resource Planning (ERP) systems
  • Internal document management platforms
  • Corporate email infrastructure
  • Internal administrative and management networks
  • Public website

Operational technology (OT) systems controlling electricity production were not impacted, which prevented disruptions to the national power grid.

Known indicators of compromise (IOCs)

Publicly observed indicators linked to this attack and to Gentlemen operations include:

  • Ransom note filename:
    README-GENTLEMEN.txt
  • Encrypted file extension (observed in related incidents):
    .7mtzhh
    (Note: the group is known to vary extensions between campaigns)
  • Behavioral indicators:
    • Sudden creation of new administrator accounts
    • Mass disabling of security software
    • Deletion of Windows shadow copies
    • Use of remote administration tools such as AnyDesk
    • Unusual outbound network traffic prior to encryption

No confirmed malicious IP addresses or file hashes have been publicly released at this time.

Impact and response

Once the attack was identified, Oltenia Energy Complex:

  • Disconnected affected systems from the network
  • Began rebuilding infrastructure using clean backups
  • Notified Romania’s national cyber authorities
  • Filed a criminal complaint with prosecutors
  • Coordinated with the Ministry of Energy

The company stated that electricity production continued safely throughout the incident.

Why this attack matters

This incident highlights several critical trends:

  • Energy infrastructure is a prime ransomware target, even when operational systems are segmented
  • Business IT disruption alone can severely impact national-scale organizations
  • Romania is experiencing a clear increase in ransomware activity against public and strategic entities
  • Attackers are increasingly patient, professional, and technically sophisticated

The fact that power generation was not disrupted should be viewed as a success of network segmentation — but the incident still demonstrates how ransomware can pressure critical infrastructure operators without touching industrial systems.

Final takeaways

  • Ransomware groups no longer need to disrupt physical operations to exert leverage
  • Credential security and remote-access hardening remain major weaknesses
  • Backup integrity and isolation are critical for recovery
  • Early detection of lateral movement and privilege abuse is essential

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.