Gentlemen Ransomware Cripples Romania's Largest Coal Power Producer

Romania's Oltenia Energy Complex, the country's largest coal-based power producer, discovered a ransomware attack on December 26 that forced the company to shut down multiple IT systems. The attack, attributed to a group deploying "Gentlemen" ransomware, encrypted documents and disrupted key business operations including ERP systems, email, and the company's website.

TL;DR

• What happened: Gentlemen ransomware encrypted documents and disrupted ERP, email, and web systems at Romania's largest coal power producer
• Who's affected: Oltenia Energy Complex and potentially the broader Romanian energy grid
• Severity: High - critical infrastructure operator with IT systems offline
• Action required: Energy sector organizations should review backup integrity and network segmentation

Second Romanian Critical Infrastructure Attack in Days

This marks the second major ransomware attack against Romanian critical infrastructure in less than a week. On December 20, Romania's national water management agency (Administrația Națională Apele Române) suffered an attack that compromised roughly 1,000 systems across ten of the country's eleven river basin management organizations. That attack used Windows BitLocker to encrypt systems.

The timing isn't coincidental. Attackers know that holidays mean skeleton crews and delayed response times. Romania's cybersecurity agency DNSC has been stretched thin responding to both incidents simultaneously.

What is Gentlemen Ransomware?

Gentlemen is a relatively new ransomware strain that emerged in late 2025. Unlike more established ransomware-as-a-service operations, details about its operators and affiliates remain scarce. The name itself—an oddly polite moniker for an extortion tool—suggests operators with a sense of irony or a deliberate attempt at misdirection.

The ransomware targets Windows environments and appears focused on high-value corporate targets rather than opportunistic mass deployment. Its appearance at a major energy producer indicates operators with either significant capabilities or good operational intelligence about vulnerable targets.

Impact on Operations

Oltenia Energy Complex reported that the attack affected:

• ERP systems - Core business operations disrupted
• Email servers - Internal and external communications impacted
• Company website - Public-facing web presence taken offline
• Document servers - Critical files encrypted

The company has not disclosed whether operational technology (OT) systems that control power generation were affected. Energy sector attacks often target IT systems while leaving OT networks untouched—either by design or because those networks are better segmented. The distinction matters: IT disruptions inconvenience business operations, while OT compromises can affect physical infrastructure and safety systems.

Romania's Growing Target Profile

Romania has become an increasingly attractive target for cybercriminals and state-sponsored actors. Several factors contribute:

NATO membership and Ukraine support: Romania hosts critical NATO infrastructure and has been a key logistics hub for Ukraine support. This makes it a target for Russian-aligned threat actors seeking to disrupt Western alliance operations.

Critical infrastructure modernization: Like many Eastern European nations, Romania is in the middle of modernizing aging infrastructure. Transition periods often create security gaps as old and new systems coexist.

Energy sector importance: Romania's energy independence makes its power infrastructure strategically significant. Disrupting electricity generation during winter months could have cascading effects.

Response and Recovery

Oltenia Energy Complex is working with Romanian authorities including DNSC to contain the incident and restore systems. The company has not confirmed whether any ransom demand was received or what amount attackers are seeking.

For energy sector organizations watching this unfold:

1. Test backup restoration now - Don't wait for an incident to discover backup problems
2. Verify network segmentation - Ensure IT/OT boundaries are actually enforced
3. Review holiday staffing - Attackers target reduced coverage periods deliberately
4. Check for Gentlemen IOCs - Monitor threat intelligence feeds for indicators associated with this ransomware family

The Bigger Picture

Two attacks on Romanian critical infrastructure in one week doesn't look like coincidence. Whether coordinated by the same threat actor or simply opportunistic timing by different groups, it demonstrates that critical infrastructure remains dangerously exposed.

The energy sector has spent years talking about improving OT security, but many organizations still run IT and OT on flat networks with minimal segmentation. When ransomware hits, the blast radius extends further than it should.

Romania is unlikely to be the last European nation facing infrastructure attacks as 2025 ends. The holiday period typically brings a surge in ransomware activity, and threat actors have clearly done their homework on high-value targets.