article featured image


Rompetrol is the operator of Petromidia Navodari, the largest oil refinery in Romania, with a processing capacity of more than five million tons annually.

It looks like a ransomware attack hit the Rompetrol gas station network, with the KMG International’s subsidiary declaring that it is fighting a “complex cyberattack.”

KMG International is one of the world’s largest oil companies, with operations in fifteen countries across Europe, Central Asia, and North Africa. Refining, marketing, trading, production, and oil industry services such as drilling, EPCM, and transportation are among KMG’s main activities.

Following the attack, the petroleum provider was forced to shut down its websites and the Fill&Go service at gas stations.

Who Did It?

As per BleepingComputer, the attackers behind the Rompetrol incident are members of the Hive ransomware organization and have demanded a multi-million dollar ransom.


As of yesterday, both the KMG and Rompetrol websites are not reachable, and the Fill&Go app is no longer functional. The company’s email system (Microsoft Outlook) is, however, still up and running.

KMG has already informed the Romanian National Directorate of Cyber Security (DNSC), which is working with the company to resolve the issue and provide the necessary support.

To protect the data, the company has temporarily suspended the operation of the websites and the Fill&Go service, both for the fleets and for the private customers.

The activity of Rompetrol gas stations is carried out normally, the customers having at their disposal the option of payment in cash or by bank card.


According to an anonymous tip to BleepingComputer, the attackers have also gained access to the Petromidia refinery’s internal IT network, but Rompetrol claims that the refinery’s operations are unaffected.

The company stated in an email to employees that the cyberattack was observed at 21:00 hours (local time) on Sunday and that it impacted “most of the IT services.”

What’s In for Hive Ransomware?

It seems that the Hive Ransomware gang is behind the attack on KMG subsidiary Rompetrol with the threat actor now demanding a $2 million ransom from the petroleum provider in exchange for a decryptor and the promise not to leak allegedly stolen information.


More on Hive Ransomware

According to the FBI, the Hive ransomware group uses a wide range of strategies, techniques, and procedures, making it extremely difficult for businesses to protect against its attacks.

Security researchers who gathered data from Hive’s administrator panel showed that affiliates of the Hive ransomware group managed to breach in more than 4 months over 350 organizations.

Prior to the attack, KMG announced over the weekend that Rompetrol Rafinare would be closed from March 11 to April 3 for a scheduled technological turnaround.

The technological shutdown is a necessity for the good functioning of the refinery units and is part of the general strategy of the Group, through which a precise calendar of activities has been established, with general turnarounds carried out every 4 years and technological shutdowns scheduled every 2 years.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Antonia Din

PR & Video Content Manager

linkedin icon

As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo