Full Report
The activity of the Oltenia Energy Complex (CEO) was partially affected following a ransomware cyber attack, called "Gentlemen", without endangering the functioning of the National Energy System, the company informed on Saturday.
Analysis Summary
# Incident Report: Gentlemen Ransomware Attack on Oltenia Energy Complex
## Executive Summary
The Oltenia Energy Complex (CEO) experienced a significant ransomware attack named "Gentlemen" on December 26, 2025, which partially disrupted business operations, encrypting documents and rendering core IT applications (ERP, document management, email, and website) temporarily unavailable. While the domestic National Energy System remained unaffected, the company isolated affected systems, initiated recovery from backups, and reported the incident to Romanian authorities.
## Incident Details
- Discovery Date: December 26, 2025, around 01:40 AM
- Incident Date: December 26, 2025 (Discovery)
- Affected Organization: Oltenia Energy Complex (CEO)
- Sector: Energy/Utilities
- Geography: Romania
## Timeline of Events
### Initial Access
- **Date/Time:** December 26, 2025, prior to 01:40 AM
- **Vector:** Undisclosed (Initial access details not provided in the source)
- **Details:** Attackers successfully deployed ransomware, identified as "Gentlemen."
### Lateral Movement
- **Date/Time:** Between initial access and detection.
- **Details:** Not explicitly detailed, but the impact suggests successful movement leading to the encryption of multiple systems, including ERP, document management, email, and the company website.
### Data Exfiltration/Impact
- **Date/Time:** Ongoing during the incident lifecycle.
- **Details:** Documents and files were encrypted. Business IT infrastructure was compromised, leading to temporary unavailability of essential applications. The possibility of data exfiltration is currently under analysis.
### Detection & Response
- **Date/Time:** December 26, 2025, around 01:40 AM
- **Details:** The attack was identified by company personnel.
- Affected systems were immediately isolated.
- Incident reported to the National Cyber Security Directorate (DNSC), the Ministry of Energy, and other competent authorities.
- A criminal complaint was filed regarding illegal access to an IT system and alteration of IT data integrity.
- IT specialists began rebuilding systems on new infrastructure using existing backups.
## Attack Methodology
The provided source describes the *impact* but does not detail the technical stages (TTPs) used by the attackers, beyond the successful execution of encryption.
- **Initial Access:** Undisclosed.
- **Persistence:** Unknown.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Unknown.
- **Credential Access:** Unknown.
- **Discovery:** Unknown.
- **Lateral Movement:** Unknown, though evidenced by widespread application/data encryption.
- **Collection:** Status of data collection (exfiltration) is currently under investigation.
- **Exfiltration:** Potential, currently being analyzed.
- **Impact:** Encryption of business documents and files, leading to temporary loss of access to ERP, document management, email, and website services.
## Impact Assessment
- **Financial:** Not disclosed, but recovery efforts involve rebuilding systems on new infrastructure.
- **Data Breach:** Status of customer/sensitive data breach is currently under analysis ("existence of a possible data exfiltration" is being analyzed). Business documents were encrypted.
- **Operational:** Partial disruption of business activity. Core operational continuity for the National Energy System was **not** endangered.
- **Reputational:** Public notification issued by the company on Saturday (following the Dec 26 discovery).
## Indicators of Compromise
No specific network addresses, file hashes, or domain names were provided in the source article.
## Response Actions
- **Containment:** Immediate isolation of affected IT systems upon discovery.
- **Eradication:** Rebuilding affected systems on new infrastructure.
- **Recovery:** Utilization of existing backup copies to restore services.
## Lessons Learned
- **Business Continuity:** The reliance on robust, segmented backups proved critical, allowing recovery efforts to focus on rebuilding infrastructure without immediate reliance on paying a ransom.
- **Criticality Management:** Despite the compromise of business systems, critical infrastructure management (National Energy System) remained secure and operational.
- **Reporting & Legal:** Swift reporting to national cybersecurity and energy authorities, alongside filing a criminal complaint, was prioritized.
## Recommendations
1. **Threat Intelligence:** Identify the specific variant or campaign associated with the "Gentlemen" ransomware to proactively search for known TTPs and IOCs in the broader infrastructure.
2. **System Segmentation:** Review and enhance network segmentation between critical operational technology (OT) environments and business IT infrastructure to ensure future business system compromises cannot migrate to essential energy control systems.
3. **Backup Integrity Verification:** Thoroughly validate the integrity and recency of all backups utilized for the restoration process to ensure a clean recovery environment.
4. **MFA & Patch Management:** (General recommendation based on typical ransomware vectors) Review and strengthen authentication mechanisms (MFA) and patch management across all external-facing and internal enterprise services to mitigate common initial access vectors.