Rompetrol Hive ransomware attack

On the evening of 6 March 2022, Rompetrol — the Romanian arm of Kazakh state oil major KMG International and operator of Petromidia Navodari, Romania's largest oil refinery — was hit by a ransomware attack. The Hive ransomware gang claimed responsibility and demanded a $2 million ransom, in one of the most significant strikes against Romanian critical energy infrastructure.

What happened

The attack was detected around 21:00 local time and quickly knocked out most of Rompetrol's IT services. The company's corporate websites (both KMG and Rompetrol) went offline, and the Fill&Go automated fuel-payment service — used by both fleet customers and individual drivers at filling stations — became unavailable.

Rompetrol publicly described the incident as a "complex cyberattack." Investigators identified the Hive ransomware-as-a-service operation, which demanded $2 million in exchange for a decryptor and a promise not to publish stolen data. Hive subsequently listed the Rompetrol.org domain on its dark-web negotiation portal, indicating that data exfiltration had occurred before encryption.

Impact

IT and digital services were widely disrupted: websites, the Fill&Go service, and internal systems.
Gas stations continued operating throughout, accepting cash and card payments manually.
The attackers reportedly reached the internal IT network of the Petromidia refinery, but refinery production continued — the company stated operations were not affected.
Petromidia processes more than five million tonnes of crude annually, supplying a large share of Romania's fuel.

Response

Rompetrol isolated affected systems and worked to restore services over the following days while declining to confirm whether any ransom was paid; there is no public evidence of payment. The separation between IT (business systems) and OT (refinery process control) was the decisive factor that kept the refinery running even as corporate IT was crippled — a key resilience lesson for energy operators.

Why it matters

The Rompetrol attack is a landmark national energy-sector case for two reasons. First, it demonstrated that ransomware can reach the heart of critical fuel infrastructure while still being contained to business IT if OT segmentation holds. Second, coming weeks after Russia's invasion of Ukraine, it sharpened concern across South-East Europe about the exposure of energy operators to financially-motivated and potentially state-adjacent threat groups. Hive itself was later dismantled in a January 2023 FBI-led international operation, but the Rompetrol case remains a reference point for protecting refineries and fuel-distribution networks against extortion.

Timeline

March 6, 2022

Around 21:00 local time, Rompetrol detects a cyberattack affecting most of its IT services.

March 7, 2022

The company confirms a 'complex cyberattack' and temporarily suspends its websites and the Fill&Go fuel-payment service.

March 7, 2022

The Hive ransomware gang is identified as responsible, demanding $2 million for a decryptor and to prevent a data leak.

March 8, 2022

Hive lists Rompetrol on its dark-web negotiation site, indicating data exfiltration; the Petromidia refinery keeps operating.

March 14, 2022

Rompetrol progressively restores IT services; gas stations had continued operating on cash and card payments throughout.

Sources

bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/rompetrol-gas-station-network-hit-by-hive-ransomware/

therecord.mediahttps://therecord.media/hive-ransomware-gang-targets-romanian-oil-firm-in-its-latest-cyberattack

romania-insider.comhttps://www.romania-insider.com/petromidia-cyberattack-mar-2022

cybernews.comhttps://cybernews.com/news/romanian-gas-giant-hacked-and-held-to-ransom/

heimdalsecurity.comhttps://heimdalsecurity.com/blog/hive-ransomware-gang-impacts-rompetrol-gas-station-network/

Related incidents

RansomwareResolvedDecember 9, 2024

Electrica Group Lynx ransomware attack

The Lynx ransomware gang breached Electrica Group, one of Romania's largest electricity suppliers serving 3.8 million users, disrupting customer-facing services while SCADA and other critical grid systems were isolated and kept running.

Victim: Electrica Group

RansomwareResolvedDecember 12, 2022

EPM BlackCat ransomware attack

The BlackCat/ALPHV ransomware gang crippled Colombia's largest public utility, Empresas Públicas de Medellín, forcing 4,000 staff to work offline and disrupting electricity, water, and gas billing across 123 municipalities.

Victim: Empresas Públicas de Medellín (EPM)

RansomwareUnknownApril 21, 2026

Engie: a cyberattack claimed by a ransomware group

In April 2026, the Coinbase Cartel extortion group listed French energy giant Engie on its dark web leak site, claiming to have stolen sensitive data and threatening to publish a full dump unless a ransom was paid; Engie did not publicly confirm the breach.

Victim: Engie

RansomwareContainedAugust 21, 2024

Halliburton RansomHub attack (2024)

RansomHub gained access to Halliburton's systems, prompting the oil-services giant to take infrastructure offline. The incident delayed invoicing and purchase orders, and Halliburton booked a $35 million loss in its SEC filings.

Victim: Halliburton
Loss: $35.0M