Cyber Incident Victim: Clinical Hospital No. 1 'C.F. Witting' Bucharest
Date:
Jul 2021
Location:
Romania
Summary
The Clinical Hospital in Bucharest experienced a PHOBOS ransomware attack encrypting its servers, with attackers demanding an unpaid ransom. Operations continued using offline systems, mirroring a prior incident affecting other Romanian hospitals linked to inadequate antivirus protections. The ransomware, of medium complexity, primarily exploited Remote Desktop Protocol connections for infection.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around July 24, 2021, Clinical Hospital No.1 CF Witting in Bucharest experienced a PHOBOS ransomware attack targeting its healthcare servers. The attack resulted in the encryption of hospital data, after which the perpetrators demanded payment for decryption. The hospital refused to pay the ransom. Despite the encryption of digital systems, the institution maintained operational continuity by reverting to offline paper-based registers for patient care and administrative functions. Romania’s National Cyber Security Directorate (SRI) collaborated with the national Computer Emergency Response Team (CERT-RO) and the hospital to investigate the incident. Forensic analysis indicated the attackers exploited Remote Desktop Protocol (RDP) connections to infiltrate the network, consistent with PHOBOS’s known infection methods. This ransomware variant was assessed to possess medium technical complexity. The incident mirrored a prior wave of PHOBOS attacks in summer 2019 that impacted four other Romanian hospitals, which similarly lacked adequate antivirus protections across their IT infrastructure.
The 2021 attack occurred amid sustained cybersecurity awareness efforts directed at Romania’s healthcare sector since the COVID-19 pandemic’s onset in 2020. CERT-RO and the volunteer group Cyber Volunteers 19 – Romania had jointly conducted campaigns to alert medical facilities about IT vulnerabilities and promote proactive threat mitigation. While some institutions implemented recommended security practices promptly, the hospital’s infection demonstrated cases where necessary measures were delayed or omitted. The hospital’s reliance on offline procedures prevented service disruption but did not address the underlying compromise of digital systems. No data theft or additional post-encryption attacker actions were disclosed. The investigation highlighted persistent risks to healthcare infrastructure from ransomware groups leveraging known attack vectors like exposed RDP services, particularly where defensive controls such as updated antivirus, system patching, or access management remain inconsistently applied.