Full Report
On-site staff keep key systems working while all but one region battles with encrypted PCs Romania's cybersecurity agency confirms a major ransomware attack on the country's water management administration has compromised around 1,000 systems, with work to remediate them still ongoing.…
Analysis Summary
# Incident Report: Romanian Waters Ransomware Attack
## Executive Summary
A major ransomware attack targeted Administrația Națională Apele Române (Romanian Waters), compromising approximately 1,000 systems across the national water management administration and ten of eleven regional river basin organizations. While critical hydrotechnical operations remained functional due to on-site staff intervention, numerous IT systems, including servers and workstations, were encrypted. Response efforts are ongoing, with authorities advising against negotiating with the attackers.
## Incident Details
- Discovery Date: Monday, December 22, 2025 (Date of reporting)
- Incident Date: Attack began on December 20, 2025
- Affected Organization: Administrația Națională Apele Române (Romanian Waters)
- Sector: Water Management/Critical Infrastructure
- Geography: Romania
## Timeline of Events
### Initial Access
- Date/Time: On or before December 20, 2025
- Vector: Not explicitly stated in the provided text, but resulted in system encryption.
- Details: The attack successfully compromised the network infrastructure across the central administration and most regional branches.
### Lateral Movement
- Details: The attack spread to ten of the country's 11 river basin management organizations, indicating successful lateral movement beyond the initial point of compromise.
### Data Exfiltration/Impact
- Details: Approximately 1,000 systems were encrypted, including geographical information system applications servers, database servers, Windows workstations, Windows Servers, email and web servers, and domain name servers. Ransom notes were left demanding negotiations within seven days.
### Detection & Response
- Detection: Confirmed by Romania's National Cyber Security Directorate (DNSC).
- Response actions taken: On-site staff maintained hydrotechnical operations locally. DNSC is investigating the 1,000 compromised systems and has strictly advised the victim organization against communicating with or negotiating with the attackers. Steps are underway to integrate the network into Romania's critical national infrastructure protection system (CNC).
## Attack Methodology
- Initial Access: Not specified, but led to system encryption.
- Persistence: Not specified.
- Privilege Escalation: Not specified.
- Defense Evasion: Not specified.
- Credential Access: Not specified.
- Discovery: Not specified.
- Lateral Movement: Successfully spread to 10 of 11 regional river basin management organizations.
- Collection: Not specified.
- Exfiltration: Not explicitly confirmed, but ransom notes suggest data compromise or encryption as leverage.
- Impact: Encryption of approximately 1,000 systems using what authorities suggest may be **Windows' BitLocker**, indicating a potential non-standard or internal tool use instead of a typical known ransomware payload deployment.
## Impact Assessment
- Financial: Not disclosed. Authorities are focused on remediation.
- Data Breach: Affecting servers hosting GIS applications, databases, email, web services, and domain control.
- Operational: Critical hydrotechnical operations (dams, water supply, monitoring) were **not affected** and continued to run normally, managed locally by on-site staff. However, IT services (websites, internal servers) were severely disrupted or offline.
- Reputational: Public information is being disseminated through alternative sources as the official website is offline.
## Indicators of Compromise
- Network indicators: None provided (Defanged).
- File indicators: Ransom notes left demanding negotiation within seven days. Encryption utilized was observed to be consistent with Windows' BitLocker utility.
- Behavioral indicators: Widespread encryption across IT infrastructure impacting business services.
## Response Actions
- Containment measures: DNSC policy directs against contact/negotiation to starve the cybercrime economy.
- Eradication steps: Work to remediate the encrypted systems is ongoing.
- Recovery actions: On-site staff maintained manual/local control of vital services, preventing a complete operational shutdown. Integration into national cyber protection systems is being accelerated.
## Lessons Learned
- Critical services resilience: Incident demonstrated the value of local, on-site staffing capable of taking over operations manually when IT systems fail/are compromised.
- Critical Infrastructure Protection Gap: The affected network was not protected by Romania's established system for safeguarding critical national infrastructure (CNC system).
## Recommendations
- Accelerate the integration of all critical national infrastructure, including water management facilities, into the established national cyber defense and monitoring systems (CNC).
- Review and enhance endpoint protection and network segmentation controls to prevent the large-scale lateral spread observed across the organization and its regional branches.
- Review procedures to ensure that standard ransomware protection tools are deployed, given the observation that the attackers may have leveraged built-in tools like BitLocker.