Analysis of the LockBit Ransomware Attack on KBC Zagreb

Victim Profile: University Hospital Centre Zagreb

The University Hospital Centre Zagreb (KBC Zagreb) stands as Croatia's largest hospital, playing a dual role in the nation's healthcare system by providing extensive medical services and serving as a primary educational institution. With over 5,000 employees, KBC Zagreb offers advanced medical procedures and diagnostics, including MSCT, MR spectroscopy, and PET-scans, among others. As a central national hospital, it is recognized by the Croatian Ministry of Health and hosts 70 referral centers, making it a beacon of medical excellence and innovation in Croatia.

Vulnerabilities to Ransomware Attacks

Given its significant role and the sensitive nature of the data handled, KBC Zagzagreb's IT infrastructure is a critical asset that, if compromised, can lead to severe consequences not only for the institution but also for the broader public health system. The integration of advanced digital technologies in healthcare, while beneficial, also increases the potential attack surface for cybercriminals. Hospitals, with their necessity for immediate data access and the critical nature of their services, often become prime targets for ransomware attacks, as operational disruption can quickly lead to life-threatening situations, increasing the likelihood of a ransom being paid.

Attack Overview

Last week, KBC Zagreb experienced a significant disruption when it fell victim to a ransomware attack by the group known as LockBit. The attack led to the shutdown of the hospital's IT systems for an entire day, forcing a revert to manual record-keeping and causing substantial operational disruptions, particularly in emergency services. Patients in need of urgent care were redirected to other facilities, underscoring the attack's immediate impact on patient care and hospital operations.

Ransomware Group: LockBit

LockBit, a notorious ransomware-as-a-service (RaaS) group, has been highly active since its emergence in 2019. Known for its sophisticated encryption methods and ruthless double extortion tactics, LockBit encrypts victim data and threatens to publish it unless a ransom is paid. This group primarily targets vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares to infiltrate and spread across networks. The recent attack on KBC Zagreb highlights the group's continued threat to global cybersecurity, particularly following a brief disruption of their operations earlier in the year.

Potential Entry Points and System Penetration

While the specific vector used in the KBC Zagreb attack has not been publicly disclosed, LockBit's known strategies suggest possible exploitation of unpatched software vulnerabilities or inadequately secured RDP setups. The group's capability to perform lateral movements across a network can also mean that a single entry point might have been sufficient to spread the ransomware across the hospital's entire network.

Sources

• University Hospital Centre Zagreb Information
• Dun & Bradstreet: KBC Zagreb Company Profile
• LinkedIn: Clinical Hospital Centre Zagreb
• European Medicines Agency: KBC Zagreb
• Australian Cyber Security Centre: Ransomware Profile LockBit 3.0
• CISA: Advisory on LockBit 3.0