Home LockBit targets Croatia’s largest hospital

LockBit targets Croatia’s largest hospital

July 3rd – Croatia’s largest and most advanced hospital, the University Hospital Centre Zagreb (KBC Zagreb), serves roughly 10,000 citizens daily across two main campuses and three additional locations throughout Zagreb. The hospital also maintains 30 clinics, seven specialized institutes, and over 2,000 beds.

Last week, a cyber attack crippled the hospital system, paralyzing networks. Servers were shut down to prevent the lateral spread of ransomware. Staff were reportedly taken back “50 years – to paper and pencil,” per Croatian radio announcement.

While media reports indicated that patient safety was not compromised, emergency patients were diverted to other hospitals in the region.

LockBit 3.0 ransomware attack

The hospital was compromised by LockBit 3.0, a Russian cyber criminal group that is believed to have previously conducted more than 1,400 cyber attacks around the world.

LockBit claims to have stolen a large trove of administrative and medical data – research papers, medical records, patient exams, surgery data, organ and donation data, employee data, legal documents, medication reserve data and more.

As proof of exfiltration, the group uploaded 12 documents to the internet. The cyber criminals have demanded a ransom payment by July 18th.

Hospital recovery

According to local media reports, KBC Zagreb resumed online operations within 24 hours of the attack. However, restarting systems was no easy feat and required the expertise of more than 100 professionals.

In addition, authorities are initiating a criminal investigation, as to ascertain how the attack happened and its potential impact.

Cyber attack context

The KBC Zagreb incident coincided with multiple cyber attacks on Croatian government agencies, which were conducted by another Russian-linked group.

The group is known as NoName057(16). Previously, it has attacked the infrastructure of pro-Ukraine nations. NoName insisted that it was not responsible for the medical facility attack, emphasizing that the group wanted to target government agencies, not civilians.

For more on this story, click here. For information about a cyber attack that affected 100 hospitals simultaneously, click here. Lastly, to receive cyber security thought leadership articles, groundbreaking research and emerging threat analyses each week, subscribe to the CyberTalk.org newsletter.