The Gentlemen’s Heist: Ransomware Cripples Romania’s Largest Coal Power Giant

A serious incident caused by ransomware has struck Romania’s largest coal-fired power producer, Oltenia Energy Complex. The attack, detected during the night of December 26, disrupted digital systems and temporarily rendered several internal services unavailable. While certain operational processes were affected, electricity supply at the national level remained stable.

Oltenia Energy Complex (CE Oltenia) is a cornerstone of Romania’s power sector, relying primarily on lignite. The company operates twelve generating units across facilities in Rovinari, Turceni, and Craiova, and manages fifteen open-pit mines, producing between 15 and 18 million tons of coal annually. In recent years, the enterprise has been undergoing restructuring and investing heavily in new energy sources, including solar power plants and gas-fired installations. Its workforce currently numbers around 10,000 employees.

The cyber incident was attributed to ransomware known as Gentlemen. As a result of the attack, internal documents were encrypted and key business applications were disrupted, including resource management systems, document workflows, corporate email, and the company’s official website. Technical teams promptly isolated affected systems and began restoring operations using backup platforms. An internal investigation is underway to assess the extent of the breach and determine whether any data was exfiltrated.

Reports indicate that notifications were sent to the National Cybersecurity Directorate and the Ministry of Energy. The company also filed an official report with the Directorate for Investigating Organized Crime and Terrorism. It remains unclear whether the attackers accessed confidential information. There has been no confirmation of ransom negotiations; however, the absence of Oltenia Energy Complex from the Gentlemen group’s leak site may suggest that communication between the parties is still ongoing.

This marks the second major cyber incident in Romania in recent weeks. Earlier, the National Water Administration fell victim to a similar attack, in which malware compromised approximately one thousand systems at the central office and ten regional branches. Servers hosting geographic information systems, databases, email and web services, as well as Windows workstations and domain name servers, were encrypted. Infrastructure directly involved in water management remained unaffected, and water supply continued uninterrupted.

According to specialists analyzing the incident, the attackers leveraged BitLocker, Windows’ built-in encryption feature. The perpetrators left a demand to establish contact within seven days, though the precise method of initial compromise has yet to be determined.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy