Romania's Water Management Agency Hit by Ransomware Attack Affecting 1,000 Systems

Romania's national water management agency, Administrația Națională Apele Române (Romanian Waters), confirmed that a ransomware attack beginning December 20 has compromised approximately 1,000 systems across its infrastructure. The attack spread to 10 of the country's 11 river basin management organizations, affecting everything from geographic information systems to email servers.

TL;DR

• What happened: Ransomware attack on Romania's water management agency encrypted ~1,000 systems using BitLocker
• Who's affected: Romanian Waters and 10 of 11 regional river basin management organizations
• Severity: High - critical infrastructure attack disrupting water management operations
• Action required: OT/ICS operators should audit BitLocker policies and network segmentation between IT and OT systems

What Systems Were Compromised?

According to Romania's National Cyber Security Directorate (DNSC), the attack impacted a broad range of infrastructure:

• Geographic Information System (GIS) application servers
• Database servers containing operational data
• Windows workstations across multiple facilities
• Windows Server infrastructure
• Email and web servers
• Domain name servers

The DNSC confirmed that attackers exploited Windows BitLocker—a legitimate disk encryption feature—to encrypt files across the compromised systems. This technique, sometimes called "living off the land," uses built-in operating system tools to avoid detection by security software looking for known ransomware binaries.

How BitLocker Becomes a Weapon

BitLocker is Microsoft's full-disk encryption feature, designed to protect data if a device is lost or stolen. Ransomware operators have increasingly abused it because:

• It's already present on Windows systems—no malware deployment needed
• Security tools typically whitelist BitLocker as a legitimate process
• Encryption is fast and reliable (it's designed for enterprise use)
• Recovery requires either the BitLocker recovery key or paying the ransom

The attack pattern typically involves:

1. Gaining administrative access to target systems
2. Enabling BitLocker with an attacker-controlled recovery key
3. Rebooting systems to complete encryption
4. Deleting or exfiltrating the original recovery keys
5. Demanding payment for key restoration

Geographic Spread of the Attack

The infection spread rapidly across Romanian Waters' distributed infrastructure. Ten of Romania's 11 Administrații Bazinale de Apă (river basin administrations) reported compromised systems. These regional organizations manage water resources, flood control, and dam operations across different river systems.

The lone unaffected basin administration hasn't been identified, but its isolation may indicate either better network segmentation, different system configurations, or simply that it wasn't connected to compromised infrastructure at the time of the attack.

Why Water Infrastructure Remains Vulnerable

Water utilities face several security challenges that make them attractive ransomware targets:

Legacy systems: Many water management systems run outdated operating systems because upgrading operational technology is expensive and requires careful testing to avoid disrupting critical services.

Converged IT/OT networks: As utilities digitize operations, the air gaps between corporate IT networks and operational technology controlling physical processes have eroded. An attacker who compromises the IT network can often pivot to systems controlling pumps, valves, and sensors.

Limited security budgets: Public utilities typically operate with constrained IT budgets. Security investments compete with infrastructure maintenance and regulatory compliance.

24/7 operational requirements: Water systems can't easily be taken offline for patching or security updates without affecting service delivery.

Remediation Efforts Ongoing

Romanian Waters stated that remediation work is still in progress. Recovery from a BitLocker-based attack typically requires either:

• Restoring from backups (if backups exist and weren't also encrypted)
• Using stored BitLocker recovery keys (if attackers didn't delete them)
• Rebuilding systems from scratch
• Paying the ransom (which authorities generally advise against)

The DNSC hasn't disclosed whether any ransom demand was made or the identity of the threat actors responsible.

Recommended Mitigations

1. Control BitLocker deployment - Use Group Policy to restrict who can enable BitLocker and audit recovery key storage
2. Segment OT networks - Maintain strict separation between corporate IT and operational technology networks
3. Protect recovery keys - Store BitLocker recovery keys in a secure, air-gapped location that attackers can't access after initial compromise
4. Deploy endpoint detection - Monitor for unusual BitLocker activity, including unexpected enablement or recovery key queries
5. Maintain offline backups - Keep verified backup copies that can't be reached through network access

Frequently Asked Questions

Could this attack affect water quality or safety?

The disclosed impact focuses on IT systems (email, databases, GIS). Operational control systems for water treatment are typically separate, though network segmentation varies by utility. Romanian authorities haven't indicated any impact on water safety.

Why would attackers use BitLocker instead of ransomware?

Using built-in tools helps attackers evade detection. Security software is designed to catch malicious executables, not legitimate Windows features. BitLocker-based attacks also require no payload development or testing.

Is this connected to other water utility attacks in Europe?

No direct connection has been established. However, the attack follows Denmark's attribution of water utility attacks to Russian-linked groups earlier this week, highlighting ongoing threats to European water infrastructure.