This week, a particularly instructive – and alarming – cybersecurity incident came to light: Romanian National Water Authority hit by ransomware attack, that is, the Administrația Națională Apele Române organization. The attack was carried out using a BitLocker-based method, and although the OT systems controlling the water infrastructure were ultimately not compromised, the damage to the IT environment poses a serious operational and regulatory risk in itself.
According to the available information, approximately 1000 workstations became unusable, and 10 out of 11 regional offices were affected. GIS systems, databases, email services and web servers were down while the attackers demanded ransom. This incident clearly demonstrated once again that for an organization operating critical infrastructure, the failure of IT systems alone is enough to jeopardize the performance of basic tasks.
However, one of the most important lessons of the story is not the fact of the attack itself, but the way it happened. The attackers did not work with a classic, easily recognizable ransomware, but used a legitimate system function – BitLocker drive encryption – as a weapon. After infiltration, they moved laterally in the network and then activated the encryption locally. Traditional antivirus and EDR solutions are practically helpless in this situation: they do not „see” real malware, since a built-in Windows function is running.
This is exactly the scenario that the reactive, signature-based protection is not prepared. By the time the EDR alerts, the data is already encrypted, business operations have stopped, and the organization is faced with a choice: pay or start a lengthy recovery. In the case of an institution operating critical infrastructure under NIS2, this is not only a technical but also regulatory and liability issue also.
And here comes the real „what if” question. A truly preventive, AI-based endpoint protection in this case, he would have intervened much earlier. The Deep Instinct For example, its deep learning technology does not make decisions based on behavioral patterns or known signatures, but rather analyzes the mathematical characteristics of the code and blocks the attack before it is executed. This means that unknown, 0-day ransomware – including attacks that exploit BitLocker – simply won’t reach the point of causing any damage.
Another advantage of the solution is that NGAV and EDR in one, with an extremely low false alarm rate that does not overload SOC teams, and is capable of making decisions even in offline environments. If you do all this in a Stellar Cyber If we supplement it with a web-based XDR platform, we will get a complete picture of attack attempts not only on the endpoints, but also on the network and server side.
The case of the Romanian water authority is a perfect example of how if BitLocker is already encrypting, it's too late. In this case, there is no data, no system, no operation – only crisis management. With a preventive approach, however, there is no data loss, no ransom, and no forced shutdown.
The question today is no longer whether an organization is under attack. The question is whether Will we notice in time – or will it not happen at all?. For critical infrastructures and NIS2-affected organizations, this is not a technological luxury, but a basic requirement.