- A ransomware attack on the national water administration of Romania has jeopardized approximately 1,000 systems within the nation.
- The attackers utilized Windows BitLocker to encrypt files alongside ransom notes requesting negotiations in one week.
- Operational capabilities remain active as on-site staff continue handling critical water systems manually.
A team of cybersecurity specialists in Romania has announced that a ransomware assault has affected up to a thousand computers connected with Administrația Națională Apele Române. To date, the recovery efforts have yielded limited improvement, and the Offices are now struggling to restore the numerous systems that have been enciphered.
The attack, which occurred on December 20, 2025, came in hard and spread in a blink. Geographic information system application servers, email and web servers, Windows workstations, domain name servers, and even database servers all fell victim. The agency’s website went dark immediately. Officials now work with alternative channels to publicize updates.
Critical Infrastructure Under Fire
The Administrația Națională Apele Române is liable for the national system for all freshwater resources, including aqueducts, lakes, reservoirs, rivers, and stations for gauging flow. The attack didn’t stop at the central administration either. It spread to ten of Romania’s eleven river basin management organizations.
The Romanian National Cyber Security Directorate (DNSC) took the lead in the investigation, with up to 1,000 systems examined. Romanian Waters’ operational capabilities were not affected. The DNSC verified that hydrotechnical activities continue running normally, managed locally by on-site staff who kept critical systems working.
Authorities classified this as a “ransomware attack”, though the responsible group is yet to be fished out. What they did confirm is troubling. Files were encrypted, and the attackers left ransom notes with a clear deadline. Romanian Waters has seven days to begin negotiations.
This tactic of imposing a deadline aligns with methods used by other ransomware groups, who increasingly pair encryption with threats to leak stolen data, as seen in recent attacks on financial institutions.
The DNSC revealed that the bad actors harnessed Windows BitLocker to encode the files. This unusual approach suggests the attack might be coming from an unknown ransomware group using their standard payload. Such groups often operate within the broader cybercriminal ecosystem, which includes hidden online platforms for coordination and data exchange. It’s a different tactic that caught security teams off guard.
Romania’s Firm Stance on Ransom Demands
The DNSC made its position absolutely clear. They issued a strong statement reiterating their strict policy on ransomware attacks.
“We repeat that the strict recommendation and policy of the DNSC towards all affected by the attacks is not to reach out nor negotiate with bad actors, to avoid funding or cheering the cybercrime incidents,” the agency declared.
They also asked the public to avoid contacting IT teams at Romanian Waters or the river basin administrations. These teams need laser focus to restore the jeopardized IT services.
“We’ll communicate further details once they’re available,” they added.
The investigation pointed out that Romanian Waters’ network was not secured by Romania’s system for protecting key national infrastructure. This system works similarly to the UK NCSC’s Early Warning service. Critical infrastructure traffic runs through monitoring tools designed to detect anomalous activity and stop attacks before they become disruptive.
The DNSC acknowledged this gap won’t last forever. Procedures to embed the Romanian Waters’ system into this protective system are already underway.
“The necessary steps have started to integrate this infrastructure into the systems developed by CNC to ensure cyber protection for both public and private IT&C infrastructures of key significance to nation-wide security, thanks to intelligent technologies,” they explained.
A Growing Threat to Water Systems Worldwide
This attack on Romanian Waters joins a disturbing trend of similar incidents targeting Western water administrations. As providers of safe drinking water to vast populations, water management systems represent acute national security concerns.
Just two months ago, in October, hacktivists broke into Canada’s systems managing water, energy, and farming. They accessed controls that could have triggered disastrous consequences. The UK and US have both issued warnings about similar scenarios after observing attacks on their own water authorities.
The Romania incident proves that even critical infrastructure providers remain vulnerable. Without the least protective measures, ransomware groups strike. So, it’s advisable to secure these essential systems ahead of future attacks.
