Cyber Incident Victim: Don Serafino Ronchi
Date:
Aug 2022
Location:
Italy
Summary
A multidisciplinary Italian healthcare center specializing in physiotherapy, rehabilitation, and diagnostic services was targeted by the LockBit 3.0 ransomware group, leading to data encryption and operational disruption. The attackers employed double extortion tactics, threatening to publish stolen data unless a ransom was paid within a 12-day deadline. The facility, operated by a Brescia-based social cooperative and employing over 40 professionals, faced potential exposure of sensitive information including medical operations across its extensive infrastructure featuring specialized clinics, therapy pools, and rehabilitation equipment. This incident exemplifies ransomware actors targeting healthcare organizations regardless of their humanitarian focus to maximize financial gain through system lockdowns and data leakage threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around August 25, 2022, the Don Serafino Ronchi multidisciplinary physiotherapy and rehabilitation center in Vighizzolo di Montichiari, Brescia, Italy, suffered a ransomware attack attributed to the LockBit 3.0 cybercrime group. The attackers infiltrated the clinic's systems, encrypted data to disrupt operations, and exfiltrated sensitive information as part of a double-extortion strategy. LockBit initiated a 12-day countdown on their data leak site, threatening to publish the stolen data on September 7, 2022, at 01:06 UTC unless ransom demands were met. The clinic—a 400-square-meter facility specializing in physiotherapy, medical consultations, diagnostic tests, and childhood developmental disorder treatments—faced potential exposure of patient records, operational data, and internal documents. Operated under the La Nuvola nel Sacco social cooperative, which had managed healthcare and social services in Brescia since 1986, the clinic employed over 40 medical professionals across three examination rooms, three rehabilitation halls, dedicated pediatric therapy spaces, two gyms, and two heated pools.
LockBit’s public leak site entry detailed the clinic’s infrastructure and services to substantiate the attack’s credibility while pressuring the organization to negotiate. The ransomware operation followed LockBit’s standard methodology: disabling systems through encryption, demanding cryptocurrency payments for decryption keys, and leveraging the threat of data exposure to coerce compliance. No explicit details regarding the clinic’s detection methods, containment efforts, or decision to pay/not pay the ransom appeared in available sources. The attack risked operational paralysis for the facility, which relied on digital systems to coordinate patient care across its specialized departments. Potential data leakage also posed legal, reputational, and privacy risks given the sensitive nature of medical records and the clinic’s role in community healthcare services. LockBit’s countdown mechanism intensified pressure on the organization as the September 7 deadline approached.