Ransomware Attack on Wertachkliniken by Cloak Group Disrupts Operations

In early September, the Wertachkliniken, comprising healthcare facilities in Bobingen and Schwabmünchen, experienced a severe ransomware attack by the Cloak group. This incident has significantly disrupted their operations, forcing the clinics to revert to analog emergency structures and cancel planned surgeries.

Overview of Wertachkliniken

Wertachkliniken operates in the Hospitals & Physicians Clinics sector, providing a range of medical services aimed at ensuring high-quality patient care. The clinics are known for integrating competence, innovation, and humanity in their healthcare approach. They offer specialized treatments and pain management programs, emphasizing patient involvement in care decisions. The clinics are currently undergoing significant changes to enhance operational efficiency, including plans to consolidate operations into a single location near the B17 highway in southern Augsburg by 2029.

Details of the Attack

The ransomware attack paralyzed the IT systems at Wertachkliniken, affecting their server systems and leading to the encryption of virtual servers within the hospital’s information system. The cybercrime department in Augsburg, in collaboration with the clinics' IT experts, is investigating the incident. Cloak has claimed responsibility for the attack, revealing that it has breached the clinics and leaked 291 GB of data. The group's post initially concealed the victim's name, which was later fully disclosed. Efforts are underway to restore critical processes at the clinics, though there is no clear timeline for the full resumption of regular operations.

About Cloak Ransomware Group

Cloak ransomware is a relatively new group that emerged between late 2022 and early 2023. The group is financially motivated and primarily targets sectors such as medical, real estate, construction, IT, food industry, and manufacturing, with a particular focus on Europe. Cloak uses double extortion tactics, encrypting files and threatening to leak stolen data. They operate a data leak site where they sell and publish stolen data from victims. The group likely purchases initial access from Initial Access Brokers (IABs) and may leverage compromised employee credentials obtained through info-stealers like Lumma, Aurora, and Redline.

Vulnerabilities and Impact

Wertachkliniken's vulnerabilities were exposed through this attack, highlighting the risks associated with their operational infrastructure. The clinics' reliance on digital systems for patient care and administrative functions made them a prime target for ransomware groups like Cloak. The attack has not only disrupted medical services but also raised concerns about the potential exposure of sensitive patient data. The clinics are working diligently to secure and analyze the compromised data while informing patients of cancellations directly.

Sources

• Wertachkliniken Official Website
• Region A3 News
• German Hospital Directory
• Dun & Bradstreet Business Directory
• Wertachkliniken LinkedIn