On May 27, 2026, the INC Ransom ransomware group posted a claim on its dark web leak site alleging a successful intrusion against Distrigaz Vest S.A., an independent natural gas distributor headquartered in Oradea, Romania. The threat actor claims to have exfiltrated approximately 100GB of sensitive corporate and customer data. The claim remains unverified by Yazoul Security, and Distrigaz Vest has not issued a public statement at the time of writing.
What Happened
INC Ransom listed Distrigaz Vest S.A. on its dark web leak site, alleging unauthorized access to the company's internal environment and the theft of roughly 100GB of data. The post advertises broad access to confidential documents, client records, NDAs, financial records, operational data, corporate agreements, and development files. The actor further claims to have obtained "all clients" and "all transactions," implying access to core business systems. Notably, the post references specific 2024 fiscal figures, including a turnover of RON 86.53 million and net profit of RON 9.89 million, lending some surface credibility to the claim that internal financial reporting was accessed. As is standard with leak site postings, the claim is part of a double-extortion play designed to pressure Distrigaz Vest into negotiating before any data is published.
What Was Taken
According to the INC Ransom post, the alleged data set totals approximately 100GB and includes:
- Confidential corporate documents
- Client and customer data, allegedly covering "all clients"
- Non-disclosure agreements (NDAs)
- Financial data, including transaction records and databases
- Operational and corporate data
- Business and partner agreements
- Development files
- Internal 2024 financial reporting (turnover and net profit figures cited in the post)
If the claim is accurate, the breach would expose customer identities, contractual relationships with partners and counterparties, and operationally sensitive information about a regulated gas distribution operator. Ransomware groups frequently exaggerate the scale and sensitivity of stolen data, so volume and category claims should be treated cautiously until samples or proof packs are released.
Why It Matters
Distrigaz Vest operates as a regional natural gas distributor in Romania, placing this incident squarely within the energy sector, a category of critical infrastructure that INC Ransom has repeatedly targeted alongside healthcare and manufacturing. A successful intrusion against an energy distributor carries implications beyond financial loss: exposure of operational data, customer billing systems, and partner agreements can erode trust, invite regulatory scrutiny under EU and Romanian critical infrastructure frameworks, and provide follow-on attackers with reconnaissance value. The incident also reinforces an ongoing pattern of ransomware groups prioritizing mid-sized European energy operators, where security maturity may lag behind the largest national utilities while the operational and reputational stakes remain high.
The Attack Technique
INC Ransom has been active since at least 2023 and operates a textbook double-extortion model: encrypting victim systems while exfiltrating data to maximize negotiation leverage. The specific initial access vector for the Distrigaz Vest intrusion has not been disclosed by the group, and no technical indicators have been released publicly at the time of writing. Based on prior incidents, INC Ransom operators are known to rely on a recurring toolset across the intrusion lifecycle:
- Mimikatz for credential dumping
- AdFind for Active Directory reconnaissance
- Advanced IP Scanner and SoftPerfect NetScan for network enumeration
- Finger for user enumeration
- 7-Zip for staging and compressing data prior to exfiltration
- BackBlaze and MEGA as exfiltration destinations
Defenders should treat the presence of these tools, particularly in unusual combinations or on systems where they have no legitimate business, as a high-confidence indicator of hands-on-keyboard intrusion activity consistent with INC Ransom tradecraft.
What Organizations Should Do
Energy sector operators and organizations with similar risk profiles should take the following defensive steps:
- Hunt for the known INC Ransom toolset (Mimikatz, AdFind, Advanced IP Scanner, SoftPerfect NetScan, Finger, 7-Zip staging archives) across endpoints and servers, prioritizing domain controllers and file shares.
- Monitor egress traffic for large outbound transfers to BackBlaze and MEGA endpoints, and block or alert on uploads from systems that have no business reason to use those services.
- Enforce phishing-resistant multi-factor authentication on all remote access, VPN, and privileged administrative pathways, which remain a primary INC Ransom entry point in observed incidents.
- Segment operational technology and billing/customer environments from corporate IT, and tightly restrict lateral movement paths between Active Directory tiers.
- Validate and test offline, immutable backups for core financial, customer, and operational systems, and rehearse restoration timelines against a worst-case encryption scenario.
- Prepare regulatory and customer notification playbooks aligned with Romanian and EU critical infrastructure reporting obligations, so that disclosure decisions are not made under live extortion pressure.
Sources: Distrigaz Vest Ransomware Attack by INC Ransom (May 2026)