Romania’s Oltenia Energy Complex suffers major ransomware attack

A ransomware attack hit Romania’s Oltenia Energy Complex on December 26, knocking out IT systems at the country’s largest coal power producer.

A ransomware attack disrupted Oltenia Energy Complex, Romania’s largest coal-based power producer, shutting down its IT systems on December 26.

The Oltenia Energy Complex (CE Oltenia) is Romania’s leading state-controlled lignite mining and coal-fired power producer, operating 12 units with 3,570 MW capacity across Rovinari, Turceni, and Craiova plants, plus 15 open-pit mines yielding ~15-18 Mt annually. It employs around 10,000 workers (down from 15,000), serves wholesale/retail electricity markets (est. hundreds of thousands to low millions of customers), and generated ~€940M revenue in 2017 with recent profitability amid restructuring. Facing EU green transition, it invests €1.4B in PV and gas, ensuring baseload security.

On December 26, 2025, the company detected a Gentlemen ransomware attack that encrypted documents and disrupted key IT systems, including ERP, email and the website. Operations were partially affected, but the Romanian energy provider highlighted that the national energy supply remained safe. Oltenia Energy Complex isolated the impacted systems and notified the relevant authorities, including the National Directorate of Cyber Security, the Ministry of Energy

IT teams began restoring services from backups on new infrastructure, while the scope of the incident and any data leak are still under investigation.

“On December 26, 2025, around 01:40, a ransomware type computer attack, called “Gentlemen”, was identified, which affected the IT business infrastructure of the Oltenia Energy Complex Society.” reads the statement published by the company.

“Following the attack, some documents and files have been encrypted, and several computer applications have become temporarily unavailable, including ERP systems, document management applications, email service and the company website. The company’s activity was partially affected, without endangering the functioning of the National Energy System.”

The company is investigating the incident to determine the scope and the exact extent of the security breach. It’s unclear if threat actors have stolen data from the Oltenia Energy Complex.

The company also filed a criminal complaint with DIICOT (Directorate for Investigating Organized Crime and Terrorism)

​At the time of this writing, the Gentlemen ransomware group has yet to add the Romanian energy firm to its Tor data leak site, a circumstance that suggests an ongoing negotiation.

Recently, Romanian Waters (Administrația Națională Apele Române), the country’s water management authority, suffered a ransomware attack.

According to the National Cyber Security Directorate (DNSC), the incident affected around 1,000 computer systems across the central organization and 10 of its 11 regional offices. The attack disrupted IT assets, including GIS servers, databases, email and web services, Windows workstations, and domain name servers.

Authorities stressed that operational technology (OT) systems managing water infrastructure were not impacted, and water operations continue to function normally.

Government experts who are investigating the incident confirmed that threat actors used Windows BitLocker to encrypt systems and issued a ransom note demanding contact within seven days. However, at this time, the attack vector has not yet been identified.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Oltenia Energy Complex)