Hive ransomware gang targets Romanian oil firm in its latest cyberattack

Romania’s largest oil refinery proprietor, Rompetrol, confirmed Monday in a Facebook post that it was the target of a cyberattack, causing the company to shut down its websites and Fill&Go service.

The “complex cyberattack” — as Rompetrol’s parent company KMG International called it — is reportedly attributed to the Hive ransomware gang, which is requesting $2 million in return for the decryptor and safekeeping of the stolen data, according to Bleeping Computer, which first reported on the attack.

The ransomware group was first seen in June 2021 and was initially known for targeting healthcare systems. It has since infiltrated various other industries, including real estate and IT. Hive is one of the most aggressive ransomware groups, according to cybersecurity experts, and is known for using sophisticated tactics that manipulate a number of platforms like Windows, Linux, and EXSi hypervisors, rather than just one. 

A majority of the cyberattacks conducted by Hive, including this most recent one, follow a pattern where they first steal the original data within systems and then encrypt it. This way the gang can hold the leaked data and the decryptor at ransom. It is estimated that Hive targets three companies per day according to TechTarget.

“The consequences of the attack depend on a couple of things, whether Rompetrol has backups readily available and the type of data stolen during the ransomware attack,” said Allan Liska, a ransomware expert at Recorded Future. “Right now, the priority should be getting service restored to the pumps and ensuring the ransomware actor has been fully removed.”

Rompetrol oversees the oil refinery Petromidia Navodari, which can process upwards of five million tons of oil a year, making it the largest within the country. 

“As with most ransomware groups, stopping Hive will require a combination of law enforcement and individual organization action,” Liska added. “Law enforcement needs to track down the actors behind Hive and at least disable their infrastructure. In the meantime, organizations need to protect themselves from ransomware groups by following the best ransomware security precautions.”

Rompetrol did reassure its customers that the gas stations are functioning normally, and gas can be paid for in cash or with the use of a bank card. 

“We are constantly connected with Directoratul National de Securitate Cibernetica - DNSC and together we are making every effort to resolve the situation,” a company representative said in a Facebook statement. “For data protection, the company has temporarily stopped the operation of the Fill&Go websites and services, both for fleet and for individuals,” the statement reads. 

At this point in time, none of the Rompetrol websites can be accessed and the company did not respond to a request for comment, including inquiries about whether or not the ransom would be paid.