LockBit Ransomware Disrupts Croatia's Largest Hospital
Incident Date:
July 1, 2024
Overview
Title
LockBit Ransomware Disrupts Croatia's Largest Hospital
Victim
KBC Zagreb (University Hospital Centre Zagreb)
Attacker
Lockbit3
Location
First Reported
July 1, 2024
Analysis of the LockBit Ransomware Attack on KBC Zagreb
Victim Profile: University Hospital Centre Zagreb
The University Hospital Centre Zagreb (KBC Zagreb) stands as Croatia's largest hospital, playing a dual role in the nation's healthcare system by providing extensive medical services and serving as a primary educational institution. With over 5,000 employees, KBC Zagreb offers advanced medical procedures and diagnostics, including MSCT, MR spectroscopy, and PET-scans, among others. As a central national hospital, it is recognized by the Croatian Ministry of Health and hosts 70 referral centers, making it a beacon of medical excellence and innovation in Croatia.
Vulnerabilities to Ransomware Attacks
Given its significant role and the sensitive nature of the data handled, KBC Zagzagreb's IT infrastructure is a critical asset that, if compromised, can lead to severe consequences not only for the institution but also for the broader public health system. The integration of advanced digital technologies in healthcare, while beneficial, also increases the potential attack surface for cybercriminals. Hospitals, with their necessity for immediate data access and the critical nature of their services, often become prime targets for ransomware attacks, as operational disruption can quickly lead to life-threatening situations, increasing the likelihood of a ransom being paid.
Attack Overview
Last week, KBC Zagreb experienced a significant disruption when it fell victim to a ransomware attack by the group known as LockBit. The attack led to the shutdown of the hospital's IT systems for an entire day, forcing a revert to manual record-keeping and causing substantial operational disruptions, particularly in emergency services. Patients in need of urgent care were redirected to other facilities, underscoring the attack's immediate impact on patient care and hospital operations.
Ransomware Group: LockBit
LockBit, a notorious ransomware-as-a-service (RaaS) group, has been highly active since its emergence in 2019. Known for its sophisticated encryption methods and ruthless double extortion tactics, LockBit encrypts victim data and threatens to publish it unless a ransom is paid. This group primarily targets vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares to infiltrate and spread across networks. The recent attack on KBC Zagreb highlights the group's continued threat to global cybersecurity, particularly following a brief disruption of their operations earlier in the year.
Potential Entry Points and System Penetration
While the specific vector used in the KBC Zagreb attack has not been publicly disclosed, LockBit's known strategies suggest possible exploitation of unpatched software vulnerabilities or inadequately secured RDP setups. The group's capability to perform lateral movements across a network can also mean that a single entry point might have been sufficient to spread the ransomware across the hospital's entire network.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.