Cyberattack on Oltenia Energy Complex: Understanding the Gentlemen Ransomware Threat

What Happened?

On December 26, 2025, CEO suffered a ransomware attack that disrupted its business IT infrastructure. The attack, attributed to the Gentlemen ransomware group, temporarily affected:

• ERP systems and document management platforms
• Company email services
• The official corporate website

Despite these disruptions, the national energy system remained stable, and electricity production was not endangered. The attack primarily impacted internal administrative and business processes, not operational control systems.

Response and Investigation

CEO acted swiftly:

• Affected systems were isolated to prevent the spread of malware.
• Authorities, including Romania’s National Directorate of Cybersecurity, the Ministry of Energy, and DIICOT (the cybercrime and organized crime investigation unit), were notified.
• IT teams began rebuilding systems from secure backups, avoiding ransom payments.

The investigation is ongoing to determine whether any sensitive data was exfiltrated before encryption. This incident was part of a broader wave of cyberattacks targeting Romanian critical infrastructure during the holiday period, including attacks on the National Water Authority.

Understanding Gentlemen Ransomware

The Gentlemen ransomware group first emerged in mid-2025 and is considered a highly professional and evolving threat.

How It Operates

Gentlemen uses a dual-extortion strategy:

• Data Theft: Sensitive files are exfiltrated.
• File Encryption: Critical documents are encrypted, often with strong algorithms like XChaCha20 and Curve25519.
• Public Threat: Victims are warned that stolen data may be published if ransom demands are not met.

Its attack chain includes:

• Initial Access: Exploiting exposed services or weak credentials.
• Lateral Movement: Using tools like PsExec, WMI, and PowerShell to navigate networks.
• Defense Evasion: Disabling security tools and leveraging vulnerable signed drivers for kernel-level execution.
• Persistence: Registry changes, scheduled tasks, and legitimate remote access tools.
• Anti-Forensics: Clearing logs and shadow copies to hinder investigations.

Victims receive ransom notes, often named README-GENTLEMEN.txt, and encrypted files may carry distinctive extensions like .7mtzhh.

Who is Behind Gentlemen?

Gentlemen appears to operate as a Ransomware-as-a-Service (RaaS):

• Developers provide the ransomware to affiliates who conduct attacks.
• Known aliases like “Zeta88” have been linked to the group on underground forums.

While analysts suspect potential Eastern European or CIS connections, there is no verified attribution to any nation-state or formal criminal syndicate. The group targets a wide range of industries, including healthcare, manufacturing, construction, insurance, and critical infrastructure, spanning at least 17 countries.

Lessons for Organizations

The CEO attack underscores the need for robust cybersecurity practices, especially for critical infrastructure:

• Regular, isolated backups of all important data
• Network segmentation and access control
• Endpoint detection and response (EDR) systems
• Multi-factor authentication and strong credential management
• Proactive monitoring for lateral movement and abnormal activity

Even sophisticated attackers like Gentlemen can be mitigated with preparation, rapid response, and strong cybersecurity hygiene.

Conclusion

The December 2025 cyberattack on Oltenia Energy Complex demonstrates that even non-operational IT systems in critical industries can be severely impacted by ransomware. While electricity production remained safe, the incident serves as a stark reminder: cybersecurity is not optional it is essential for both business continuity and national infrastructure security.