Connect with us

Hi, what are you looking for?



Ransomware Attack Knocks 100 Romanian Hospitals Offline

Romanian hospitals turn to pen and paper after ransomware attack on centralized healthcare management system.

Romanian hospitals turned to using pen and paper for record keeping on Monday morning after a file-encrypting ransomware attack on a widely used healthcare management system.

Over the weekend, a threat actor targeted the Hipocrate Information System (HIS) and deployed the Backmydata ransomware, which encrypted data pertaining to 26 hospitals across the country. The HIS system was knocked offline as well.

According to Romania’s National Cyber Security Directorate (DNSC), the attackers first encrypted the data of a children’s hospital on Saturday, February 10, with the rest of the facilities targeted between February 11 and February 12.

DNSC also says that 74 other healthcare facilities connected to the HIS system have been cut off from the internet while investigators are trying to determine whether they have been affected as well.

According to DNSC, most of the impacted hospitals have fresh backups of their data, which should allow for fast restoration of all systems. At one facility, however, the backup does not include the last 12 days of data.

On Tuesday, DNSC announced that the number of impacted hospitals has increased to 26 and that the attackers have made a 3.5 Bitcoin (roughly $175,000) ransom demand. Victims, however, are advised to refrain from contacting the attackers and paying up.

DNSC has told all hospitals to isolate the impacted systems, save the ransom notes and system logs, investigate the logs to identify the point of entry, keep the impacted systems on so that evidence can be retrieved from memory, inform all relevant parties of the incident, restore the impacted systems using backups, and ensure that all applications and operating systems are up to date.

A cancer treatment organization told a local news outlet on Monday that all servers were shut down and that the internet was disconnected to prevent data leaks. At this hospital alone, more than 180 patient admissions were registered on paper on Monday and blood work was printed on paper as well.

Advertisement. Scroll to continue reading.

The Backmydata ransomware used in this attack is part of the Phobos family, which typically infects systems by exploiting flaws in Remote Desktop Protocol (RDP) services, including weak login credentials.

On the infected systems, Backmydata achieves persistence, disables firewalls, deletes volume shadow copies, and encrypts and exfiltrates data.

In their ransom note, the cybercriminals claim to have stolen confidential data that will be sold if a ransom is not paid, and provide an email address that victims should use for communication.

Related: A Chicago Children’s Hospital Has Taken Its Networks Offline After a Cyberattack

Related: Ardent Hospitals Diverting Patients Following Ransomware Attack

Related: Ransomware Gang Leaks Data Allegedly Stolen From Canadian Hospitals

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.


Alphv/BlackCat ransomware group files SEC complaint against MeridianLink over its failure to disclose an alleged data breach caused by the hackers.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.