A ransomware attack hit Oltenia Energy Complex (Complexul Energetic Oltenia), Romania's largest coal-based energy producer, on the second day of Christmas, taking down its IT infrastructure.
The 40-year-old Romanian energy provider employs over 19,000 people, operates four power plants with an installed production capacity of 3900 MWh, and provides about 30% of Romania's electricity.
"As a result of the attack, some documents and files were encrypted, and several computer applications became temporarily unavailable, including ERP systems, document management applications, the company's email service, and website," it said over the weekend.
"The company's activity was partially affected, without jeopardizing the operation of the National Energy System. Complexul Energetic Oltenia is cooperating with the competent authorities and making every effort to fully restore its IT systems as quickly as possible."
As soon as the attack was detected, its IT teams started rebuilding the affected systems on a new infrastructure, using existing backups.
At the moment, the company is still assessing the impact of the incident and analyzing whether the attackers stole data from compromised systems before they were encrypted.
The incident was reported to the National Cyber Security Directorate, the Ministry of Energy, and other relevant authorities, and the company also filed a criminal complaint with DIICOT (Directorate for Investigating Organized Crime and Terrorism), a law enforcement agency tasked with investigating and prosecuting cybercrime offenses.
The Gentlemen ransomware operation surfaced in August and is known for using compromised credentials and targeting Internet-exposed services to gain initial access to victims' networks. The ransomware gang also deploys README-GENTLEMEN.txt ransom notes with contact information and encrypts documents using the .7mtzhh file extension.
Sample Gentlemen ransom note (Trend Micro)
Since it emerged, the Gentlemen ransomware group has added almost four dozen victims to its Tor data leak site. However, it has yet to add Oltenia Energy Complex, likely because they're still negotiating a ransom.
... continue reading