Romania’s National Cyber Security Directorate (DNSC) has confirmed a ransomware attack targeting Electrica Group, the country’s largest energy distributor with over 3.8 million customers. The attack has been attributed to the Lynx ransomware group, which has been active since July 2024 and has a documented focus on energy sector targets.
Electrica’s SCADA Systems Unaffected: IT/OT Segmentation Holds
Electrica Group confirmed that critical operational systems were not compromised. Customer-facing services experienced temporary disruptions due to implemented security protocols, but the company’s SCADA systems responsible for power distribution network management remained fully operational and unaffected. The containment of the attack within IT systems, away from OT infrastructure, reflects effective network segmentation.
Technical Analysis of the Lynx Ransomware Group
The Center for Internet Security has identified Lynx as an emerging threat actor with a particular focus on energy sector targets — more than 25% of their 78 documented attacks targeted energy, oil, and gas companies. Technical analysis suggests potential connections to the INC Ransom malware family, whose source code was previously sold on dark web forums for $300,000. The DNSC published YARA rules to help organizations detect Lynx indicators of compromise, available through CISA and partner national CERTs.
Eastern European Energy Sector Faces Heightened Lynx Risk
The 3.8 million Electrica customers across Romania face potential service disruption risk if the attack expands beyond IT systems. Energy sector organizations across Eastern Europe — including utilities, grid operators, and oil and gas companies — are at heightened risk given Lynx’s documented targeting pattern. Suppliers and contractors with network access to affected energy companies should also assess their exposure, as supply chain connections can be leveraged for lateral movement.
Security Response and Mitigation Strategies
The DNSC actively coordinated the incident response and published detection rules for Lynx. Do not pay ransoms — this does not guarantee data recovery and directly funds further criminal operations. Organizations in the energy sector should treat this as a sector-wide threat signal and review their OT/IT segmentation immediately.
Priority Actions for Energy Operators After the Electrica Incident
- Review and test network segmentation between OT (SCADA/ICS) and corporate IT networks — the Electrica incident showed that proper segmentation contained the damage.
- Implement and test offline backups for both IT and critical OT configuration data, ensuring backups cannot be reached from the corporate network.
- Deploy the DNSC-published YARA rules for Lynx ransomware detection in your SIEM or EDR platform.
- Conduct phishing simulation exercises targeting financial and regulatory compliance themes, which Lynx uses as lures.
- Verify incident response plans include specific procedures for ransomware scenarios affecting energy infrastructure.
