This post is also available in: heעברית (Hebrew)

Three hospitals in Germany suffered severe ransomware attacks on December 24th, which forced them to shut down their entire IT systems. As part of the three attacks, an unknown threat actor gained unauthorized access to the hospitals’ IT systems infrastructure and encrypted the data, in what was likely a cyberattack of LockBit 3.0.

When the hospitals became aware of the incidents all IT systems were shut down for safety reasons, and all necessary people and institutions were informed. The extent of the damage caused by this incident is still unclear.

Dr. Jan Schlenker, Managing Director of the Catholic Hospital Association of East Westphalia, said about the incident “We immediately established a crisis team that night and began analyzing the situation. Access to all systems was immediately blocked. Thanks to our security systems, patient data is still available for patient treatment.”

He also confirmed that patient care is ensured, and the clinics are operating with minor technical limitations with backup efforts in progress. However, hospitals have withdrawn from emergency care for security reasons. KHO’s network of hospitals includes six facilities in Germany.

According to Cybernews, LockBit 3.0 is a ransomware developed by the ransomware cybergang LockBit, currently one of the most active threat actors worldwide. According to CISA, LockBit implemented a ransomware-as-a-service model, where affiliates are recruited to conduct ransomware attacks using LockBit tools and infrastructure. The vast number of unconnected affiliates in the operation means that LockBit ransomware attacks tend to vary significantly in observed tactics, techniques, and procedures.

The group is said to have performed over 1,400 attacks against victims worldwide, the largest victims include Boeing, Commercial Bank of China (ICBC), DP World Australia (one of Australia’s largest port operators), and many more.