Cyber Incident Victim: Lotnicze Pogotowie Ratunkowe
Date:
Feb 2022
Location:
Poland
Summary
A ransomware attack by the HIVE group targeted a Polish air ambulance service, demanding 1.5 million PLN (approximately $390,000) for decryption, though the organization refused negotiations. Critical systems including email, website functionality, and emergency dispatch data transmission were encrypted, forcing operations to continue via alternative communication methods like private email accounts and mobile phones. While medical rescue flights proceeded normally, IT teams worked to rebuild systems amid concerns that backups might also have been compromised. The attackers potentially exfiltrated data prior to encryption, though the scope remains unconfirmed. The incident sparked unfounded conspiracy theories linking it to unrelated national emergencies, but authorities confirmed no such connections. The victim coordinated response efforts with national police, cybersecurity agencies, and health ministry officials throughout the disruption.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On the night of February 13-14, 2022, Lotnicze Pogotowie Ratunkowe (LPR), Poland's air ambulance service, suffered a ransomware attack that crippled critical IT infrastructure. Attackers deployed HIVE ransomware, encrypting data and disabling systems essential for emergency operations, including the website, email servers, and the intervention information transmission system used by rescue teams. The compromise occurred after an employee reportedly clicked a malicious email attachment. LPR immediately initiated emergency protocols, with IT staff instructing regional bases to physically disconnect all servers from power to contain the spread. While medical helicopters continued flight operations using alternative communication methods (private email accounts and mobile phones), the organization reverted to manual processes resembling pre-digital workflows. Attackers demanded 390,000 USD (1.5 million PLN) for decryption, but LPR's director refused negotiations.
The attack caused sustained operational disruptions lasting at least one week, with systems remaining offline as of February 20. The extended recovery period suggested potential compromise of backup systems. Despite maintaining emergency response capabilities through redundant procedures designed for crisis scenarios, personnel faced significant workflow complications without computer support. LPR collaborated with multiple response entities including the National Police Headquarters, Warsaw Metropolitan Police, Ministry of Health, CERT Poland, and the Internal Security Agency's Cybercrime Bureau (CeZ). Public speculation emerged linking the incident to unrelated events—a February 15 U.S. military helicopter evacuation and a nationwide ALFA-CRP emergency state declared over Ukraine tensions—but authorities confirmed no connection. LPR initially withheld public statements for seven days before confirming attack details via Facebook on February 21, identifying the ransomware strain and ransom demand while emphasizing non-negotiation. No evidence confirmed data exfiltration, though ransomware groups commonly steal information before encryption. The incident highlighted systemic resilience in medical emergency services but exposed vulnerabilities in IT infrastructure maintenance and incident communication protocols.