Executive Summary

Romanian Waters (Administrația Națională Apele Române), the national water management authority of Romania, experienced a ransomware attack over the weekend of December 20, 2025. The incident affected approximately 1,000 computer systems across the central authority and 10 of its 11 regional offices, disrupting IT assets such as geographic information systems (GIS), databases, email, web services, Windows workstations, and domain name servers. The attackers leveraged the legitimate Windows BitLocker encryption tool to lock files and left a ransom note demanding contact within seven days. Importantly, operational technology (OT) systems responsible for water infrastructure, including hydrotechnical assets, dams, and flood defenses, were not impacted, and water operations continued without disruption. The initial attack vector remains unidentified, and no threat actor or ransomware group has claimed responsibility. Romanian authorities, including the National Cyber Security Directorate (DNSC) and the National Cyberint Center, are actively investigating and working to restore IT services. The incident highlights the vulnerability of critical infrastructure sectors to ransomware, especially when not fully integrated into national cyber protection frameworks. All information in this summary is based on direct statements from Romanian authorities and corroborated by multiple primary sources (BleepingComputer, Security Affairs, The Record).

Technical Information

The ransomware attack on Romanian Waters was executed using the built-in Windows BitLocker encryption tool, a method increasingly observed in recent ransomware campaigns targeting critical infrastructure. BitLocker, typically used for legitimate disk encryption, was abused as a "living off the land binary" (LOLBin), allowing attackers to encrypt files on compromised systems without introducing external malware. This approach helps adversaries evade traditional security controls and detection mechanisms, as the tool is natively trusted within Windows environments (The Record).

The attack impacted approximately 1,000 IT systems, including GIS application servers, database servers, Windows workstations, Windows Server systems, email and web servers, and domain name servers. The operational impact was limited to IT infrastructure; OT systems responsible for the management and control of hydrotechnical assets, dams, and flood defenses remained unaffected. Water operations continued as normal, with staff reverting to telephone and radio communications due to the disruption of email services (BleepingComputer, Security Affairs).

The attackers left a ransom note demanding that the authority contact them within seven days. Romanian authorities have reiterated their strict policy and recommendation not to engage or negotiate with ransomware actors, in line with international best practices to avoid incentivizing further attacks (Security Affairs).

Technical teams from the DNSC, Romanian Waters, the National Cyberint Center, and other relevant authorities are actively investigating the incident. The initial access vector remains unknown, with no evidence yet disclosed regarding whether phishing, vulnerability exploitation, or other means were used to gain entry. The investigation is ongoing, and authorities are working to integrate the water authority’s infrastructure into the national cyber protection system, which had not been in place prior to the attack (BleepingComputer).

The use of BitLocker as a ransomware tool aligns with several tactics and techniques in the MITRE ATT&CK framework, including T1486 (Data Encrypted for Impact), T1218 (Signed Binary Proxy Execution), and T1562 (Impair Defenses). There is no direct evidence that system recovery features were disabled (T1490: Inhibit System Recovery), but this remains a possibility in similar attacks.

No specific threat actor or ransomware group has claimed responsibility for the incident. However, the attack follows a pattern of increased targeting of European critical infrastructure by both financially motivated ransomware groups and pro-Russia hacktivist collectives. In early December 2025, the Cybersecurity and Infrastructure Security Agency (CISA), FBI, NSA, and Europol’s EC3 warned of pro-Russia hacktivist groups such as Z-Pentest, Sector16, NoName, and Cyber Army of Russia Reborn (CARR) actively targeting critical infrastructure organizations worldwide (Security Affairs). Attribution in this case remains low-confidence due to the absence of technical indicators or public claims.

The incident underscores the importance of integrating critical infrastructure organizations into national cyber defense frameworks and highlights the risks posed by the abuse of legitimate administrative tools in ransomware operations.

Affected Versions & Timeline

The ransomware attack affected approximately 1,000 IT systems within Romanian Waters, including the central authority and 10 of its 11 regional offices. The compromised assets included GIS application servers, database servers, Windows workstations, Windows Server systems, email and web servers, and domain name servers. There is no evidence that operational technology systems or water infrastructure controls were impacted.

The verified timeline of events is as follows:

On December 20, 2025, the DNSC was notified of the ransomware attack affecting the IT systems of Romanian Waters and 10 regional water basin administrations, including Oradea, Cluj, Iași, Siret, and Buzău (Security Affairs).

Between December 21 and 22, 2025, public disclosure by the DNSC and Romanian Waters occurred, and investigation and containment efforts began. Official statements confirmed that OT systems were unaffected and that water operations continued without disruption (BleepingComputer).

On December 22, 2025, multiple cybersecurity news outlets reported on the incident, confirming the use of BitLocker and the scale of the impact (The Record).

As of the latest updates, the attack vector remains unidentified, and the investigation is ongoing.

Threat Activity

The threat activity in this incident is characterized by the use of the legitimate Windows BitLocker encryption tool to lock files on compromised systems, a method that leverages the concept of "living off the land" by abusing trusted system binaries (LOLBins) for malicious purposes. This approach allows attackers to evade detection by endpoint security solutions that may not flag the use of native administrative tools.

The attackers issued a ransom note demanding contact within seven days, but there is no evidence of data exfiltration or public threats to leak information. The use of BitLocker, rather than custom ransomware, suggests a focus on rapid impact and operational disruption rather than sophisticated malware deployment.

No specific threat actor or ransomware group has claimed responsibility for the attack. The incident follows a broader trend of ransomware and hacktivist targeting of critical infrastructure in Europe, particularly water utilities. In 2024, Danish intelligence attributed a destructive water-utility cyberattack to Russian state actors, and in early December 2025, international agencies warned of increased targeting by pro-Russia hacktivist groups (BleepingComputer, Security Affairs).

The attack on Romanian Waters is consistent with these patterns, although attribution remains unconfirmed. The incident also highlights the risks associated with incomplete integration of critical infrastructure organizations into national cyber protection frameworks, as the water authority was not yet connected to the national cyber defense system at the time of the attack.

Mitigation & Workarounds

The following mitigation and workaround recommendations are prioritized by severity:

Critical: Immediate integration of all critical infrastructure organizations, including water authorities, into national cyber protection frameworks is essential. This includes real-time monitoring, threat intelligence sharing, and incident response coordination with national agencies such as the DNSC and National Cyberint Center.

High: Organizations should implement strict controls on the use of administrative tools such as BitLocker. This includes restricting access to disk encryption features, monitoring for unusual usage patterns, and applying the principle of least privilege to administrative accounts.

High: Regular, offline backups of critical IT and OT systems should be maintained and tested to ensure rapid recovery in the event of ransomware or destructive attacks. Backup systems should be isolated from production networks to prevent compromise.

High: Security awareness training for staff should be conducted regularly, with a focus on phishing, social engineering, and the risks associated with administrative tool misuse.

Medium: Endpoint detection and response (EDR) solutions should be configured to alert on the use of built-in encryption tools and other LOLBins, especially when executed outside of approved maintenance windows or by unauthorized users.

Medium: Organizations should review and update incident response plans to include scenarios involving the abuse of legitimate administrative tools for ransomware purposes.

Low: Public communication protocols should be established to ensure timely and accurate information sharing with stakeholders and the public during cyber incidents.

Authorities have reiterated that victims should not engage or negotiate with ransomware actors, in line with international best practices (Security Affairs). Technical teams should be allowed to focus on restoring IT services without external interference.

References

https://www.bleepingcomputer.com/news/security/romanian-water-authority-hit-by-ransomware-attack-over-weekend/

https://securityaffairs.com/186010/cyber-crime/romanian-waters-confirms-cyberattack-critical-water-operations-unaffected.html

https://therecord.media/romania-national-water-agency-ransomware-attack

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor cyber risks across their supply chain and critical infrastructure partners. Our platform enables continuous risk assessment, automated evidence collection, and actionable reporting to support compliance and incident response. For questions or further information, please contact us at ops@rescana.com.