TL;DR
Romania's National Administration 'Romanian Waters' reported roughly 1,000 compromised systems after a ransomware incident that began Dec. 20. Core IT infrastructure was affected but on-site teams continued hydrotechnical operations while remediation is ongoing.
What happened
Romania's National Administration 'Romanian Waters' experienced a ransomware incident that began on December 20 and has since affected about 1,000 IT systems. The compromise touched multiple categories of infrastructure including geographic information system application servers, database and Windows servers, Windows workstations, email and web servers, and domain name services. The agency's public website remains offline and official notices are being shared through alternate channels. The incident spread to ten of the country's 11 river basin management organizations. Authorities confirmed that files were encrypted and that ransom notes demanded negotiation within seven days. Despite the IT disruption, the organisation said operational and hydrotechnical activities have continued, managed locally by staff on site. Romania's National Cyber Security Directorate (DNSC) is leading the response and has warned against contacting or negotiating with the attackers while remediation continues.
Why it matters
- The attack affected systems used to manage dams, waterways and drinking water monitoring, raising national security and public safety concerns.
- Widespread encryption across diverse server types shows how municipal and sectoral IT environments can be vulnerable to disruption.
- The agency was not yet routed through Romania's protective critical infrastructure monitoring system, highlighting gaps in national coverage.
- Use of built-in Windows encryption (BitLocker) by attackers may complicate attribution and response efforts compared with known ransomware toolsets.
Key facts
- Incident began on December 20, 2025.
- Approximately 1,000 systems are being investigated as compromised.
- Affected assets include GIS application servers, database servers, Windows workstations and servers, email and web servers, and DNS servers.
- The attack extended to 10 out of 11 river basin management organisations.
- Romanian Waters' public website is offline; official updates are sent via other channels.
- Hydrotechnical operations continued without reported operational disruption, run locally by on-site personnel.
- Attackers left ransom notes demanding negotiations within seven days.
- DNSC reported attackers exploited Windows BitLocker to encrypt files.
- Romanian Waters was not routed through the national critical infrastructure monitoring system; integration steps have begun.
- DNSC advised victims not to contact or negotiate with the attackers and to avoid distracting IT teams restoring services.
What to watch next
- Whether authorities identify the responsible group or malware family (not confirmed in the source).
- Progress and timeline for full remediation and restoration of affected IT systems (remediation ongoing; specific timeline not confirmed in the source).
- Completion and effect of integrating Romanian Waters into the national critical infrastructure monitoring system being planned by authorities.
- Any updates on whether ransom demands lead to negotiations or payments (not confirmed in the source).
Quick glossary
- Ransomware: Malicious software that encrypts data or locks systems, often accompanied by demands for payment to restore access.
- BitLocker: A disk encryption feature built into Microsoft Windows that can be used to encrypt drives and protect data.
- Domain Name Server (DNS): A system that translates human-readable domain names into IP addresses used by networked devices.
- Geographic Information System (GIS): Software and datasets used to capture, store, analyze, and present geographic or spatial information.
- Critical National Infrastructure (CNI): Facilities, systems and networks whose disruption would have significant impact on national security, economy, public health or safety.
Reader FAQ
Was the water supply interrupted by the attack?
Operational and hydrotechnical activities continued under local on-site control; no interruption of operations was reported.
Do authorities know who carried out the attack?
Not confirmed in the source.
Were ransom demands made?
Yes; attackers left ransom notes instructing Romanian Waters to begin negotiations within seven days.
Was Romanian Waters covered by national critical infrastructure protections before the attack?
No; the agency's network was not routed through Romania's critical infrastructure monitoring system, and steps to integrate it are underway.
CSO 7 Around 1,000 systems compromised in ransomware attack on Romanian water agency On-site staff keep key systems working while all but one region battles with encrypted PCs Connor Jones…
Sources
- Around 1,000 systems compromised in ransomware attack on Romanian water agency
- 1000 systems pwned in Romanian Waters ransomware …
- Ransomware attack on Romanian water agency hits over a …
- Romania's cybersecurity agency confirms ransomware …
Related posts
- Ex-fugitive ‘wannabe MI6’ conman Mark Acklom must repay £125,000 to victim
- Anna’s Archive says it scraped 86M Spotify tracks to build a music archive
- Poisoned npm WhatsApp API package steals messages, credentials and accounts