Romanian national water agency hit by BitLocker ransomware attack

Romania’s national water management agency announced on Sunday being hit by a ransomware attack that left staff locked out of approximately 1,000 computer systems.

The attack has impacted equipment from workstations through to servers, but the National Directorate of Cyber Security said operational technologies, including hydrotechnical infrastructure such as dams and flood defenses, were unaffected.

Normal operations are continuing throughout the water agency’s infrastructure, albeit with staff being forced to use telephone and radio for their communications as the cyberattack has impacted email servers.

Unlike traditional ransomware attacks that introduce encryption software from outside of the host network, the Romanian authorities’ initial technical assessment was that the attackers in this instance had used the legitimate Windows tool BitLocker to attempt to hold the organization to ransom.

The use of so-called LOLBins (living off the land binaries) — such as existing Windows tools — helps attackers evade security controls when traversing and manipulating victims’ networks.

Research by Kaspersky Labs published last year identified a wave of such ransomware attacks targeting victims in Mexico, Indonesia and Jordan — including companies in steel and vaccine manufacturing, and a government entity.

Last year, cybersecurity company Bitdefender said the ShrinkLocker malware — a script being used to turn the legitimate BitLocker tool against system users — was being used by “multiple individual threat actors for simpler attacks” targeting legacy Windows systems.

According to the Romanian cybersecurity agency, the attackers have issued a ransom note demanding to be contacted within seven days. It stressed that its own “policy and strict recommendation” is that victims neither engage nor negotiate with cyber extortionists.