Cyber Incident Victim: Spitalul de recuperare Sf.Gheorghe
Date:
Dec 2022
Location:
Romania
Summary
A ransomware attack targeted a Romanian hospital, encrypting its database and disrupting medical operations. Hackers demanded 3 Bitcoin (approximately €46,400) for decryption, exploiting a remote connection used by a maintenance company. The incident prevented reporting of recent medical services, jeopardizing reimbursement and salary payments. Authorities including DIICOT and the National Directorate of Cyber Security were notified, with investigations underway alongside unsuccessful decryption attempts by BitDefender analysts. Despite operational challenges, the institution aimed to restore normal medical capacity promptly while collaborating with health insurance representatives to address financial repercussions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around December 1, 2022, the Saint Gheorghe Recovery Hospital in Botoşani, Romania, suffered a ransomware attack that encrypted its database servers, severely disrupting medical operations. The attackers exploited a remote connection reportedly used by one of the hospital’s maintenance companies to infiltrate the system, mirroring a method employed in similar 2019 attacks against four other Romanian hospitals. After compromising the network, the hackers specifically encrypted the hospital’s December database and left a ransom note in English demanding payment of 3 Bitcoin (approximately €46,400 at the time) in exchange for decryption keys. The hospital engaged both Romanian law enforcement’s Directorate for Investigating Organized Crime and Terrorism (DIICOT) and cybersecurity analysts from BitDefender, but neither entity could decrypt the affected files. Hospital manager Dr. Cătălin Dascălescu confirmed notifications to the National Directorate of Cyber Security and DIICOT, with an active investigation underway, while expressing cautious optimism about restoring normal medical operations by the following Monday.
The attack’s primary operational impact stemmed from the hospital’s inability to access its encrypted December 2022 database, which contained records of medical services rendered during that month. Without these records, the institution could not submit reimbursement claims to the Health Insurance House (CAS), jeopardizing its cash flow and creating immediate financial strain. CAS representatives acknowledged efforts to identify interim solutions to ensure staff salary payments despite the missing documentation. The disruption extended medical service limitations beyond the initial attack date, though the hospital anticipated gradual operational recovery. No evidence suggested patient data exfiltration or secondary exploitation, with the attackers’ focus appearing limited to database encryption for financial extortion. The incident highlighted persistent vulnerabilities in third-party remote access pathways within Romanian healthcare infrastructure, recalling prior systemic weaknesses exposed during the 2019 hospital ransomware campaigns.