Full Report
Romania's cybersecurity agency confirms a major ransomware attack on the country's water management administration has compromised around 1,000 systems, with work to remediate them still ongoing. Administrația Națională Apele Române (Romanian Waters) says its geographical information system applications servers, database servers, Windows workstations, Windows Servers, email and web servers, and domain name servers are all affected. Its website remains offline, so official information is being disseminated via alternative sources. Romanian Waters oversees the country's water infrastructure, including dams, waterways, drinking water supplies, and monitoring systems.
Analysis Summary
# Incident Report: Major Ransomware Attack on Romanian Waters
## Executive Summary
A significant ransomware attack impacted Administrația Națională Apele Române (Romanian Waters) starting around December 20, 2025, compromising approximately 1,000 IT systems across the organization and ten of the eleven river basin management organizations. While operational capabilities, particularly hydrotechnical operations, were maintained by on-site staff, critical infrastructure servers and end-user workstations were encrypted, leading to the closure of the public website. Response efforts focus on remediation, guided by the National Cyber Security Directorate (DNSC), with a strong recommendation against engaging with the attackers.
## Incident Details
- **Discovery Date:** December 20, 2025 (Attack initiation/discovery coinciding)
- **Incident Date:** Began on December 20, 2025
- **Affected Organization:** Administrația Națională Apele Române (Romanian Waters)
- **Sector:** Water Management/Critical Infrastructure
- **Geography:** Romania
## Timeline of Events
### Initial Access
- **Date/Time:** December 20, 2025
- **Vector:** Not explicitly detailed in the provided text (Implied RaaS or similar initial infection vector).
- **Details:** Attack initiated, leading to widespread system compromise.
### Lateral Movement
- **Details:** The attack successfully spread to ten of the country's eleven river basin management organizations.
### Data Exfiltration/Impact
- **Details:** Files were encrypted across approximately 1,000 systems. Attackers left ransom notes demanding negotiations within seven days. The specific mechanism used for encryption involved exploiting **Windows' BitLocker**.
### Detection & Response
- **Detection:** Confirmed by the Romanian National Cyber Security Directorate (DNSC) shortly after the attack began.
- **Response Actions:** Remediation work is ongoing. DNSC is actively communicating and advising against contacting or negotiating with the attackers.
## Attack Methodology
- **Initial Access:** Not explicitly detailed.
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Not detailed.
- **Discovery:** Not detailed.
- **Lateral Movement:** Successful spread across the main organization and ten subordinate river basin administrations.
- **Collection:** Not detailed, focus was on encryption.
- **Exfiltration:** Not mentioned.
- **Impact:** Files on approximately 1,000 systems were encrypted using BitLocker.
## Impact Assessment
- **Financial:** Not specified.
- **Data Breach:** Scope of data compromised is unknown, but internal servers were affected.
- **Operational:** **Critical:** Hydrotechnical operations and working capabilities were *not* affected, as they were being run locally by on-site staff. **Non-Critical:** Geographical information system applications servers, database servers, Windows workstations, Windows Servers, email and web servers, and domain name servers were all affected. The public website remains offline.
- **Reputational:** Official information is being disseminated via alternative sources, indicating damage to public communication channels.
## Indicators of Compromise
- **Network Indicators:** None provided (defanged).
- **File Indicators:** Ransom notes left behind.
- **Behavioral Indicators:** Widespread encryption utilizing Windows BitLocker functionality.
## Response Actions
- **Containment Measures:** DNSC is managing the official response and communication.
- **Eradication Steps:** Remediation work is actively ongoing across the 1,000 compromised systems.
- **Recovery Actions:** Efforts are focused on restoring impacted IT services.
## Lessons Learned
- Critical national infrastructure (Romanian Waters) was **not protected** by Romania's national system for safeguarding critical infrastructure, which monitors and detects anomalous activity.
- Reliance on local, manual operations averted a full operational shutdown, highlighting redundancy in physical procedures but systemic failure in IT defense.
## Recommendations
- Immediately integrate the network infrastructure of Administrația Națională Apele Române into the national monitoring and protection systems (CNC systems).
- Review and bolster endpoint detection and response capabilities, especially concerning the unauthorized use of native encryption tools like BitLocker.
- Adhere strictly to the policy of non-negotiation with ransomware actors to avoid financing cybercrime.