Rompetrol, a Romanian gas station chain and part of KMG International, has confirmed it was subject to a “complex cyber-attack”.
Following the attack, which was confirmed on 7 March 2022 in a company Facebook post, the company sought to mitigate the impact on data by suspending operations of its website and its Fill&Go service at its gas stations.
The company also noted that the activity at Petromidia refinery, the largest oil refinery in Europe and operated by Rompetrol, has not been affected and operation at the gas stations remain normal with payment accepted by either cash or card.
Romania’s National Cyber Security Directorate (DNSC) had been notified on 7 March by Rompetrol of the complex cyber-attack.
The DNSC said in a statement: “The management team is in constant contact with the affected organization to remedy the problem, providing the necessary assistance in this case. We will come back with details.”
As of 9 March, the Rompetrol.ro website remains unreachable.
Ransomware-as-a-Service
According to BleepingComputer, the Hive ransomware gang was behind the attack and is asking for a multi-million dollar ransom.
The Hive Ransomware group operates a ransomware-as-a-service (RaaS) model. RaaS sees threat actors use already-developed ransomware tools and services to carry out attacks, it is an area that continues to thrive and enable threat actors to scale like never before. In addition, it allows less technically minded cyber-criminals to deploy ransomware.
According to cyber intelligence company, Group-IB, the Hive Ransomware group used to take a back seat in terms of its activity. This was until November 2021, when Europe’s largest consumer electronics retailer Media Markt fell prey to a ransomware attack which say reports of an initial $240 million ransom.
Group-IB said one of the main factors behind the rise of Hive is the use of the double extortion technique based on data leak sites (DLS), the active development of the RaaS program market, as well as the increasing popularity of ransomware programs among financially motivated cybercriminals who used to have to rely on more difficult ways to make money.
The company added that the Hive affiliates have been busy and the actual number of victims since around October 2021 is likely in the hundreds.
In a blog post, KnowBe4 says that because Hive attacks traditionally user spear phishing attacks as their initial attack vector there is a way to prevent a Hive hit. The company says that effective security awareness training may go some way to thwart the phishing attacks that use social engineer tactics to trick victims into engaging with malicious loaders.