Ransomware attack on Romania’s water authority cripples roughly 1,000 systems

Key Takeaways

  • ANAR, Romania’s national water authority, suffered a major ransomware attack that hit servers and workstations across its river basin organizations.
  • Attackers used Windows BitLocker for file encryption, and Romania’s cybersecurity directorate is urging the agency not to negotiate.
  • Core hydrotechnical operations continue manually, but ANAR’s website remains offline as updates move to DNSC’s X account.

Administrația Națională Apele Române (ANAR), the public authority responsible for managing Romania’s water resources, is grappling with a sweeping ransomware incident that has taken down approximately 1,000 systems. It is a broad hit—touching servers, workstations, email infrastructure, and domain controllers—at both the central authority and nearly all river basin management organizations that depend on it.

The attack unfolded on December 20, when an unidentified threat actor struck ANAR’s geographical information system (GIS) servers, database servers, Windows machines, and web services. It is a long list, and a telling one. When you see such a wide surface compromised simultaneously, it usually hints at either privileged access or a significant dwell time within the network. Still, there is no confirmation yet of how the attackers initially gained entry, and ANAR hasn’t offered clues about the specific intrusion path.

Even so, the agency has emphasized that hydrotechnical operations continue, largely because on‑site personnel can maintain physical infrastructure without relying entirely on the encrypted systems. It’s a small detail, but it highlights how operational technology and field teams often become the last line of resilience when digital environments go dark.

For now, ANAR’s website is offline. Public communication is running through the Romanian National Cyber Security Directorate’s (DNSC) X account—something that is becoming a familiar fallback for agencies trying to bypass compromised or unavailable web servers. DNSC has been the primary source for incremental updates, though it hasn’t identified the threat group behind the attack. Interestingly, initial statements point to an approach that doesn’t quite match the big-name ransomware-as-a-service outfits often involved in high‑impact infrastructure incidents.

DNSC reports that the attackers used Windows BitLocker, Microsoft’s built‑in encryption tool, to lock the files. That alone doesn’t tell you everything, but it does suggest a lower level of sophistication than what we typically see in coordinated campaigns by groups like LockBit or Black Basta. BitLocker abuse has cropped up in several opportunistic attacks across Europe in the last two years, usually targeting smaller organizations or public institutions without enterprise‑grade segmentation. Whether that specific pattern applies here is unclear, but the tactic aligns with DNSC’s suggestion that this might not be the work of a highly resourced operation.

The attackers reportedly left a ransom note giving ANAR one week to start negotiations. DNSC’s response has been firm: it is advising ANAR not to engage with the perpetrators at all. “We reiterate that DNSC’s strict policy and recommendation towards all victims of ransomware attacks is to neither contact nor negotiate with cyberattackers,” the agency said, warning that negotiations risk encouraging future campaigns.

That guidance tracks with broader European law enforcement sentiment, and you can see why. Paying never guarantees decryption, much less data integrity, and ransom-driven funding loops tend to perpetuate the threat ecosystem. But the question many operational leaders ask—quietly, and often off the record—is how to reconcile that stance when core infrastructure is on the line. What is the right call when public services are disrupted and teams are staring at a week-long recovery horizon? This incident won’t resolve that debate, but it puts the tension back into view.

ANAR’s role in Romania’s critical infrastructure ecosystem is extensive. The agency oversees surface and groundwater resources, manages dams and reservoirs, monitors water quality nationwide, and plays a central role in flood defense and drought prevention. Its systems also support compliance reporting under EU water directives. So even though hydrotechnical activities continue for now, the IT disruption is not trivial. Water resource management is a data-intensive operation, and the longer these systems remain offline, the harder the downstream coordination becomes.

Romania isn’t alone here. Water infrastructure cybersecurity has been under scrutiny globally, especially after incidents involving drinking water suppliers in the UK and investigations into possible ransomware-linked activity in Sweden’s power sector. There is no clear through-line tying those events to what is happening with ANAR, but the clustering of infrastructure-targeting attacks has made regulators nervous enough that several EU countries have started issuing revised advisories. A recent analysis from ENISA noted rising threat activity against midsize public authorities, particularly those with distributed footprints.

In ANAR’s case, river basin administrations appear to have been hit as collateral rather than in independent attacks. That distinction matters for IT leaders supporting multi‑site or federated structures. When centralized infrastructure goes down, dependencies ripple faster than many organizations anticipate. And yet, that is precisely where the pain points often show up—shared authentication, shared storage, shared GIS instances. Public agencies don’t always have the budget or staffing to isolate those environments the way private-sector critical infrastructure operators might.

There is also the question of how long restoration will take. DNSC has asked organizations and individuals not to contact ANAR’s IT and communications teams directly, arguing that they need room to work. That is common after large-scale incidents, but it also signals that recovery won’t be immediate. When ransomware hits domain controllers, database servers, and GIS systems simultaneously, the rebuild process isn’t linear. Teams have to reestablish identity services, validate backups, verify the integrity of operational data, and resecure endpoints before anything can be brought fully online.

One more point worth noting: the attack lands during a period when many public agencies are operating with holiday staffing levels. It isn’t proof of timing intent, but seasoned responders will tell you December is a period threat actors favor. With ANAR dealing with email, web, and internal system outages, the coordination load gets heavier, not lighter.

For organizations watching from the outside, the incident offers a blunt reminder. Even well-established public institutions can see broad operational disruption from what may be a moderately sophisticated adversary using commodity tools. As ANAR continues recovery efforts, DNSC is expected to provide further updates—most likely through social channels—while the broader investigation into the intrusion path unfolds in the background.