RomaniaBleepingComputerRomanian energy provider hit by Gentlemen ransomware attack
Monday, December 29, 2025
What
Oltenia Energy Complex, Romania's largest coal-based energy producer, suffered a ransomware attack by the Gentlemen group, which crippled its IT infrastructure. The attack resulted in the encryption of documents and files, rendering critical applications like ERP systems, document management, email services, and the company website temporarily unavailable. While the company's activity was partially affected, the operation of the National Energy System was not jeopardized, and IT teams are rebuilding systems using existing backups while assessing for data theft.
Where
The primary organization affected is Oltenia Energy Complex (Complexul Energetic Oltenia) in Romania. The incident is part of a broader trend of ransomware attacks targeting critical infrastructure and organizations within Romania, including Romanian Waters, Electrica Group, and numerous hospitals.
When
The ransomware attack on Oltenia Energy Complex occurred on December 26, 2025, the second day of Christmas. The Gentlemen ransomware operation itself surfaced in August, preceding this incident. The company detected the attack immediately and began recovery efforts, with the assessment of data exfiltration ongoing.
Key Factors
- •The Gentlemen ransomware group, which emerged in August, is known for gaining initial access through compromised credentials and by targeting Internet-exposed services.
- •The attack specifically encrypted documents using the .7mtzhh file extension and deployed README-GENTLEMEN.txt ransom notes, impacting critical internal systems like ERP and document management.
- •Despite the significant IT infrastructure disruption, the company successfully maintained the operation of the National Energy System, indicating a degree of operational resilience or segregation from the affected IT network.
- •This incident is one of several major ransomware attacks targeting Romanian critical infrastructure and public services in recent years, highlighting a persistent threat landscape for the country.
Takeaways
- →Organizations, especially critical infrastructure providers, must implement robust multi-factor authentication and regularly audit Internet-exposed services to prevent initial access via compromised credentials.
- →Maintaining comprehensive, offline backups and developing a well-tested incident response plan are crucial for rapid recovery and minimizing operational disruption following a ransomware attack.
- →The repeated targeting of Romanian entities underscores the importance of national-level cybersecurity strategies and information sharing to protect critical sectors from evolving ransomware threats.
Opens original article on BleepingComputer
