Cyber Incident Victim: Rompetrol
Date:
Mar 2022
Location:
Romania
Summary
Rompetrol, a major petroleum provider, experienced a ransomware attack by the Hive group, leading to the shutdown of its websites and Fill&Go payment service while gas stations continued operating with alternative payment methods. The attack compromised internal IT systems, including those at a key refinery, though refinery operations remained unaffected. Hive demanded a multi-million dollar ransom for a decryptor and to prevent data leakage, with the company engaging cybersecurity authorities for assistance. Most IT services were disrupted, but email systems stayed functional during the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 6, 2022, Romania’s Rompetrol gas station network, a subsidiary of KMG International, experienced a significant ransomware attack detected at approximately 21:00 local time. The Hive ransomware gang claimed responsibility for the intrusion, which disrupted most of the company’s IT infrastructure. Rompetrol publicly acknowledged the incident the following day, describing it as a 'complex cyberattack' that necessitated the immediate shutdown of its public-facing websites and the Fill&Go mobile payment application used by both fleet operators and private customers at gas stations. The attack compromised internal IT systems, including those at the Petromidia Navodari refinery—Romania’s largest oil refinery with an annual processing capacity exceeding five million tons—though refinery operations themselves remained unaffected. KMG International, which operates across 15 countries in Europe, Central Asia, and North Africa, engaged Romania’s National Directorate of Cyber Security (DNSC) to assist in remediation efforts. Despite the IT service disruptions, Rompetrol maintained normal operations at its gas stations by restricting payments to cash or bank card transactions.
The company’s email system, Microsoft Outlook, continued functioning during the incident. Hive ransomware actors demanded a $2 million payment in exchange for a decryptor and a promise not to leak allegedly stolen data. Rompetrol prioritized data protection by proactively isolating affected systems, including web platforms and the Fill&Go service. KMG had previously announced a planned maintenance shutdown for the Petromidia refinery scheduled between March 11 and April 3, unrelated to the cyberattack, as part of a routine four-year maintenance cycle. No operational technology disruptions or safety incidents at the refinery were reported. The FBI had previously highlighted Hive’s adaptable tactics, which complicated organizational defenses. Rompetrol’s incident response focused on containment through system isolation, collaboration with national cybersecurity authorities, and maintaining critical fuel distribution services while restoring IT capabilities.