In the closing days of 2025, a stark reminder emerged of the escalating threat of energy sector ransomware facing critical infrastructure: Romania’s largest coal-based energy producer, Complexul Energetic Oltenia (CEO), fell victim to a ransomware attack by the emerging “Gentlemen” group on December 26. The attack encrypted files and disrupted key administrative systems, yet crucially spared operational technology and national grid stability, underscoring a troubling trend—ransomware operators are increasingly targeting the energy sector, drawn by the potential for massive disruption and high ransom payouts.
What Happened in Romania?
Complexul Energetic Oltenia, a state-owned giant employing over 19,000 people and supplying roughly 30% of Romania’s electricity through four major power plants, detected the attack in the early hours of December 26, 2025. The Gentlemen ransomware encrypted files (appending the .7mtzhh extension) and disrupted key business systems, including ERP, document management, email, and the company website. Fortunately, operational technology (OT) systems controlling power generation remained isolated and unaffected, preventing any blackout or threat to the National Energy System.
CEO’s IT teams quickly responded by rebuilding affected systems from backups on new infrastructure. The company reported the incident to authorities, including the National Cyber Security Directorate (DNSC) and prosecutors (DIICOT), and is assessing potential data exfiltration.
Notably, CEO has not yet appeared on the Gentlemen’s dark web leak site—suggesting negotiations may be underway or that the group is holding back for leverage.
This attack follows a pattern in Romania: recent energy sector ransomware hits on water authorities, hospitals, and even another energy distributor (Electrica Group in 2024 by the Lynx gang).
Who Are “The Gentlemen”?
Emerging in mid-2025 (first observed around July-August), The Gentlemen are a sophisticated Ransomware-as-a-Service (RaaS) operation that has rapidly scaled.
Researchers from Trend Micro, Cybereason, and others describe them as highly adaptive, using:
- Compromised credentials and exposed services for initial access
- Custom evasion tools to disable antivirus and endpoint protections
- Living-off-the-land techniques for persistence
- Dual extortion: encryption + data theft/threatened leaks
They’ve claimed nearly 50 victims in just months, targeting manufacturing, healthcare, construction, and now energy—across 17+ countries.
Their professionalism suggests either experienced operators rebranding or a well-funded new entrant, making energy sector ransomware a growing concern for global infrastructure.
The Bigger Picture: Energy Sector Ransomware Under Siege
The energy sector is a prime target for ransomware in 2024-2025:
- Trustwave reported an 80% increase in attacks on energy/utilities in 2024 vs. 2023.
- Sophos found 67% of energy/oil/gas organizations hit by ransomware in 2024, with average recovery costs exceeding $3 million.
- Globally, half of 2025’s ransomware incidents (through Q3) targeted critical sectors, including energy.
- High-profile cases include Halliburton (RansomHub, 2024) and ongoing threats to nuclear/oil & gas facilities.
Why energy? Disruption potential is enormous—blackouts, supply chain chaos, and national security implications make victims more likely to pay, fueling the rise of energy sector ransomware worldwide.
How to Protect Your Organization
At Black Belt Secure, we specialize in defending critical infrastructure from exactly these threats, including energy sector ransomware. Key recommendations:
- Segment Networks: Strictly isolate OT from IT to prevent lateral movement (as CEO successfully did).
- Robust Backups: Offline, immutable backups enabled quick recovery here—test them regularly.
- Multi-Factor Authentication & Zero Trust: Block credential-based access, the Gentlemen’s preferred entry.
- Endpoint Detection & Response (EDR): Detect evasion tactics early.
- Incident Response Planning: Prepare, drill, and partner with experts.
- Threat Intelligence: Monitor emerging groups like Gentlemen to stay ahead of energy sector ransomware trends.
Don’t wait for the ransom note. The energy sector isn’t just a target—it’s a battlefield.
If you’re in energy or critical infrastructure, contact us at https://blackbeltsecure.com for a security assessment. Let’s harden your defenses before the next “gentleman” knocks.
Stay secure,
The Black Belt Secure Team