Ransomware Attack Disrupts Wertachkliniken Operations in Germany
Incident Date:
September 19, 2024
Overview
Title
Ransomware Attack Disrupts Wertachkliniken Operations in Germany
Victim
Wertachkliniken
Attacker
Cloak
Location
First Reported
September 19, 2024
Ransomware Attack on Wertachkliniken by Cloak Group Disrupts Operations
In early September, the Wertachkliniken, comprising healthcare facilities in Bobingen and Schwabmünchen, experienced a severe ransomware attack by the Cloak group. This incident has significantly disrupted their operations, forcing the clinics to revert to analog emergency structures and cancel planned surgeries.
Overview of Wertachkliniken
Wertachkliniken operates in the Hospitals & Physicians Clinics sector, providing a range of medical services aimed at ensuring high-quality patient care. The clinics are known for integrating competence, innovation, and humanity in their healthcare approach. They offer specialized treatments and pain management programs, emphasizing patient involvement in care decisions. The clinics are currently undergoing significant changes to enhance operational efficiency, including plans to consolidate operations into a single location near the B17 highway in southern Augsburg by 2029.
Details of the Attack
The ransomware attack paralyzed the IT systems at Wertachkliniken, affecting their server systems and leading to the encryption of virtual servers within the hospital’s information system. The cybercrime department in Augsburg, in collaboration with the clinics' IT experts, is investigating the incident. Cloak has claimed responsibility for the attack, revealing that it has breached the clinics and leaked 291 GB of data. The group's post initially concealed the victim's name, which was later fully disclosed. Efforts are underway to restore critical processes at the clinics, though there is no clear timeline for the full resumption of regular operations.
About Cloak Ransomware Group
Cloak ransomware is a relatively new group that emerged between late 2022 and early 2023. The group is financially motivated and primarily targets sectors such as medical, real estate, construction, IT, food industry, and manufacturing, with a particular focus on Europe. Cloak uses double extortion tactics, encrypting files and threatening to leak stolen data. They operate a data leak site where they sell and publish stolen data from victims. The group likely purchases initial access from Initial Access Brokers (IABs) and may leverage compromised employee credentials obtained through info-stealers like Lumma, Aurora, and Redline.
Vulnerabilities and Impact
Wertachkliniken's vulnerabilities were exposed through this attack, highlighting the risks associated with their operational infrastructure. The clinics' reliance on digital systems for patient care and administrative functions made them a prime target for ransomware groups like Cloak. The attack has not only disrupted medical services but also raised concerns about the potential exposure of sensitive patient data. The clinics are working diligently to secure and analyze the compromised data while informing patients of cancellations directly.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.