Cyber Incident Victim: Azienda Ospedaliera SS. Antonio e Biagio e Cesare Arrigo
Date:
Dec 2022
Location:
Italy
Summary
The Azienda Ospedaliera SS. Antonio e Biagio e Cesare Arrigo suffered a cyberattack by the Ragnar Locker group, which exfiltrated approximately 1 TB of sensitive data including personal information, medical records, financial reports, and departmental documents without encrypting systems. The attackers claimed full network compromise and criticized the organization's IT security posture, alleging negligence by staff who reportedly failed to detect the breach despite evidence provided. Ragnar Locker threatened to publish the stolen data unless contacted, emphasizing their avoidance of measures directly endangering patient health while accusing the hospital of inadequate data protection practices. The incident exposed systemic vulnerabilities, with the group asserting administrative incompetence and budget mismanagement contributed to the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around December 1, 2022, the Azienda Ospedaliera SS. Antonio e Biagio e Cesare Arrigo (AOAL) in Alessandria, Italy, suffered a cyberattack attributed to the Ragnar Locker ransomware group. The attackers gained initial access by compromising the hospital’s Remote Desktop Protocol (RDP) services, either through brute-force attacks or by using stolen credentials acquired from dark web markets. After breaching the network, the threat actors escalated privileges to execute arbitrary code, deploying a VirtualBox virtual machine running a Windows XP image to evade detection. This technique allowed ransomware processes to operate within a trusted environment, bypassing security controls. The group mapped all local drives as readable/writable within the virtual machine, establishing comprehensive access to AOAL’s systems.
Ragnar Locker exfiltrated approximately 1 terabyte of sensitive data, including patient personal information, medical records, financial reports, and departmental documents, while deliberately avoiding file encryption—a deviation from their typical ransomware operations. The attackers publicly disclosed samples totaling 37 gigabytes (5% of the stolen data) on their dark web leak site, threatening full publication unless the hospital engaged in negotiations. During the intrusion, Ragnar Locker observed approximately 130 domain administrators failing to detect or contain the breach, later criticizing AOAL’s IT staff for negligence in perimeter defense and incident response. The group claimed hospital employees initially denied any security breach during phone conversations, prompting attackers to provide evidence via live chat sessions detailing compromised data. Post-breach, Ragnar Locker issued public statements asserting their avoidance of life-threatening disruptions but demanded wholesale replacement of AOAL’s IT personnel alongside competency testing and budget misuse audits. The incident exposed systemic vulnerabilities in the hospital’s cybersecurity posture, including inadequate detection capabilities and failure to act on visible indicators like attacker-generated readme files. Impacts included potential exposure of hundreds of thousands of sensitive records, though no operational disruptions affecting patient care were acknowledged. Ragnar Locker’s infrastructure analysis revealed their established ransomware-as-a-service model targeting critical infrastructure sectors, with prior compromises across 52 organizations in energy, finance, government, and healthcare. The FBI had previously flagged the group for evolving obfuscation techniques and discouraging victim cooperation with law enforcement. AOAL faced reputational damage and potential regulatory consequences from the data exposure, though no ransom payment or further negotiations were documented in available sources.