Rompetrol gas station network hit by Hive ransomware

Romania's Rompetrol gas station network has been hit by a ransomware attack.

A subsidiary of KMG International, Rompetrol announced today that it is dealing with a "complex cyberattack" that forced it to shut down its websites and the Fill&Go service at gas stations.

'Fill&Go' gas station service, websites down

Today, Romania's petroleum provider Rompetrol has announced that it is battling a "complex cyberattack."

BleepingComputer has learned that Hive ransomware gang is behind this attack, and they're asking for a multi-million ransom.

Rompetrol is the operator of Romania's largest oil refinery, Petromidia Navodari, which has a processing capacity of over five million tons per year.

As one of the largest oil companies, KMG International operates in fifteen countries throughout Europe, Central Asia, and North Africa. KMG's primary activities involve refining, marketing, trading, production, and oil industry services like drilling, EPCM, and transportation.

"During this night, Rompetrol faced a complex cyberattack," announced the subsidiary today in a Facebook post seen by BleepingComputer:

BleepingComputer also observed both KMG and Rompetrol websites are not reachable as of today and the Fill&Go application is no longer working. We learned though, that the company's email system (Microsoft Outlook) remains functional.

KMG has already notified the Romanian National Directorate of Cyber Security (DNSC) who is in constant contact with the organization to remedy the problem and provide the necessary assistance.

"To protect the data, the company has temporarily suspended the operation of the websites and the Fill&Go service, both for the fleets and for the private customers," states the petroleum provider.

"The activity of Rompetrol gas stations is carried out normally, the customers having at their disposal the option of payment in cash or by bank card."

According to an anonymous tip to BleepingComputer, the threat actor also reached the internal IT network of the Petromidia refinery.

But, Rompetrol states, the operations at the Petromidia refinery are not affected.

In an email to employees, the company said that the attack was detected at 21:00 hours (local time) on Sunday and that it affected "most of the IT services."

Hive demands $2 million ransom

BleepingComputer has learned that Hive Ransomware gang is behind the attack on KMG subsidiary Rompetrol.

We have also learned that Hive is demanding a $2 million ransom from Rompetrol to receive a decryptor and not to leak allegedly stolen data.

The Hive ransomware gang is more active and aggressive than its leak site shows, with affiliates attacking an average of three companies every day since the operation became known in late June 2021.

The group is known to employ a diverse set of tactics, techniques, and procedures, which makes it difficult for organizations to defend against its attacks, as the FBI has earlier stated.

Hive's last year attack on Memorial Health System led to the cancellation of surgical and diagnostic operations, and patient data theft.

Before the attack, KMG had announced over the weekend that Rompetrol Rafinare would suspend its operations between March 11 and April 3, as part of planned maintenance:

"The technological shutdown is a necessity for the good functioning of the refinery units and is part of the general strategy of the Group, through which a precise calendar of activities has been established, with general turnarounds carried out every 4 years and technological shutdowns scheduled every 2 years," KMG had earlier said.