Ransomware Attack Hits Romania’s “Romanian Waters” Authority: IT Systems Affected, Critical Operations Continue
Romania’s National Administration “Romanian Waters” has confirmed it was targeted by a ransomware cyberattack impacting a large portion of its IT infrastructure and nearly all regional river basin administrations.
The incident was officially reported to the Romanian National Cyber Security Directorate on December 20, 2025, and the investigation remains ongoing.
Current status (update as of December 24, 2025)
According to the latest official update:
the situation is under control;
essential activities continue without disruption;
water resource monitoring and hydrotechnical infrastructure operations have not been affected.
A phased restoration process is underway:
user accounts have been restored;
email services are being stabilized;
the hydrological dispatch application has been relocated to a secure IT environment and is operational;
financial systems and the official website are being restored in stages.
Scope and impact
DNSC reports that approximately 1,000 IT systems were compromised, including:
GIS application servers;
database servers;
Windows workstations and servers;
email and web servers;
DNS infrastructure.
Operational Technologies (OT) were not impacted. Hydrotechnical facilities remain safe and are operated locally, with coordination handled via telephone and radio communications.
Attack method
The initial access vector has not yet been confirmed. Preliminary findings indicate that the attackers abused BitLocker, the legitimate Windows encryption mechanism, to encrypt files and deny access to systems.
A ransom note was issued, requesting contact within seven days. Romanian cyber authorities strongly advise against contacting or negotiating with the attackers.
National response
Incident response efforts involve:
DNSC;
the National Cyberint Center (CNC) within the Romanian Intelligence Service;
affected institutions and other government bodies.
Steps have been initiated to integrate the “Romanian Waters” IT infrastructure into national cyber protection systems for critical assets.
DIAMATIX Perspective
This incident illustrates the persistent ransomware risk facing public-sector and critical infrastructure organizations. The use of legitimate tools like BitLocker highlights the importance of:
continuous IT monitoring;
early anomaly detection;
strong IT/OT segmentation;
well-tested incident response plans.
Ransomware campaigns targeting public institutions increasingly aim to disrupt trust and continuity, not just extract financial gain.
Sources:
Romanian National Cyber Security Directorate (DNSC) – official statements
National Administration “Romanian Waters” – public updates
Romanian Intelligence Service (SRI) / CNC – incident response communications
Trusted · Innovative · Vigilant
