Romania’s water management authority has been hit by a serious ransomware attack that forced around 1,000 computers to be taken offline. The incident affected 10 of the country’s 11 regional offices and disrupted many essential digital services. The attack involved ransomware that encrypted systems and temporarily shut down internal operations. Despite the scale of the incident, water supply across the country continued without interruption.
The attackers used hostile data encryption and left a message demanding that the institution contact them within seven days. No criminal group has claimed responsibility so far. Authorities are still working to understand how the attackers gained access and how the encryption was carried out.
IT Systems Disrupted Across Regional Offices
The cyberattack caused widespread disruption to the authority’s information technology systems. As a safety measure, around 1,000 computers were taken offline to prevent further damage. The affected regional offices lost access to key digital tools used for daily work.
Systems impacted by the attack included email services, web platforms, internal databases, and Geographic Information Systems used for mapping and planning water resources. Windows workstations and domain name servers were also affected, making it difficult for staff to log in, communicate, or access stored information.
Iran-linked hackers weaponize doxxing and bounties in escalating cyber war on Israelis
Even with these digital systems offline, physical water management operations continued to function normally. Authorities confirmed that water control activities were carried out through dispatch centers and voice communications. Pumps, pipelines, and treatment facilities were not impacted by the cyberattack.
As a result, households and businesses across Romania continued to receive water without disruption. Officials stressed that no water control systems were compromised and that all operational activities remained within normal parameters.
Ransomware Used Windows BitLocker Encryption
One unusual aspect of this attack was the use of BitLocker, a legitimate encryption tool built into Microsoft Windows. Instead of using a custom ransomware program, the attackers used BitLocker to encrypt systems and lock users out.
BitLocker is normally used to protect data, but when misused, it can function like ransomware. Once activated by attackers, systems become inaccessible without the correct recovery keys. This method can make detection and recovery more difficult because it relies on trusted system software.
The attackers left a ransom message but did not publicly disclose their demands. At this stage, there is no confirmation that any data was stolen. Romania’s National Directorate for Cyber Security, known as DNSC, stated that the attack vector has not yet been identified.
Stanford experiment shows AI hacker ARTEMIS outperforms highly paid human cybersecurity experts
The DNSC is working alongside the Romanian Intelligence Service to investigate the incident and restore affected systems. Officials have not released further technical details while the investigation is ongoing.
Similar Infrastructure Attacks Seen Across Europe
Although no group has claimed responsibility for the Romanian cyberattack, the incident follows a pattern seen in other European countries. Cyberattacks targeting infrastructure systems such as water, transportation, and government services have become more frequent.
In Denmark, a cyberattack in 2024 targeted water control systems and caused real-world damage. A pro-Russian group called Z-Pentest managed to change water pressure settings, leading to burst pipes in the town of Køge. Around 500 homes were left without water for several hours.
Denmark also experienced another incident in 2025, when the pro-Russian group NoName057(16) launched a distributed denial-of-service attack on Danish websites ahead of elections. Germany has reported similar concerns, linking a 2024 cyberattack on air traffic control systems to the hacking group Fancy Bear.
Some European countries have described these incidents as part of a broader “hybrid war,” involving cyberattacks on critical infrastructure. In Romania’s case, authorities have not confirmed any link to foreign actors. Investigations remain focused on restoring systems and securing the affected networks.
