SYS::ONLINE
Wasteland.
Briefs972
Issues16
SinceFeb 2026
LIVE
█ Ransomware ROMANIAN-HOSPITALS 2026-06-24

Romanian Hospitals: Backmydata Ransomware (Phobos Family)

"A ransomware campaign against the Hipocrate Information System (HIS) crippled IT operations at roughly 100 Romanian healthcare facilities, forcing clinical staff to abandon electronic records and revert to pen and…"

A ransomware campaign against the Hipocrate Information System (HIS) crippled IT operations at roughly 100 Romanian healthcare facilities, forcing clinical staff to abandon electronic records and revert to pen and paper. The incident, which began in February 2024, was confirmed by Romania's National Cyber Security Directorate (DNSC) and the Ministry of Health. Investigators attributed it to Backmydata ransomware, a variant of the Phobos family, with attackers demanding 3.5 Bitcoin to restore access.

What Happened

Attackers targeted the Hipocrate Information System, a hospital management platform used widely across Romania to handle medical records, administrative operations, and patient information. According to the DNSC, the ransomware encrypted files and databases held on production servers, locking healthcare providers out of the data they depend on for daily care.

The disruption escalated quickly. An initial 21 hospitals were confirmed affected, but that count climbed as the scope of the compromise became clear. Dozens of additional facilities proactively disconnected their systems from the internet to keep the malware from spreading. In total, more than 100 healthcare facilities either experienced direct disruption or voluntarily pulled systems offline during the response. Romania's Ministry of Health summarized the situation bluntly in a public statement: "As a result of the attack, the system is down, and files and databases are encrypted."

What Was Taken

This was a data-availability event rather than a confirmed mass exfiltration. The ransomware encrypted medical records, patient information, and administrative databases stored on production servers, rendering them inaccessible behind locked screens. The sensitivity is severe by definition: hospital systems hold protected health information, patient identifiers, and operational data essential to treatment.

Public reporting centered on the encryption and the resulting outage rather than on a quantified volume of stolen records. Phobos-family operators are known to pursue double-extortion in some cases, so the possibility of data theft alongside encryption cannot be ruled out, but the confirmed impact was the loss of access to critical clinical and administrative data across roughly 100 facilities.

Why It Matters

Healthcare has become one of the most heavily targeted sectors for ransomware because downtime directly threatens patient safety, raising pressure to pay. Romania's experience shows what happens when a single shared software platform sits at the center of a national hospital ecosystem: compromise of HIS rippled outward to more than 100 organizations, turning one intrusion into a sector-wide crisis.

The episode is also a case study in resilience. Staff kept patient care running on paper, demonstrating that continuity planning is as vital as any technical control. For defenders, the lesson is that cybersecurity is now a core component of patient safety, and that concentration risk in shared platforms and supply chains can convert a localized breach into a national emergency.

The Attack Technique

The malware was identified as Backmydata, a variant linked to the Phobos ransomware family. Phobos-class ransomware is frequently deployed after intrusions via exposed or weakly secured remote access services, particularly Remote Desktop Protocol (RDP), along with brute-forced or stolen credentials. Once inside, operators typically move laterally, disable or evade defenses, and detonate the encryptor against production servers and databases.

In this case, the attackers reached production servers running the Hipocrate Information System and encrypted the files and databases stored there, then demanded a ransom of 3.5 Bitcoin for restoration. The precise initial access vector was not detailed in public reporting, but the targeting of a shared hospital platform underscores the danger of centralized, internet-reachable systems serving many downstream organizations.

What Organizations Should Do

  1. Harden remote access: disable internet-exposed RDP where possible, enforce multi-factor authentication on all remote services, and place administrative access behind a VPN or zero-trust gateway.
  2. Maintain offline, immutable, and regularly tested backups so encrypted production data can be restored without paying a ransom.
  3. Segment networks aggressively, isolating clinical, administrative, and shared-platform systems to limit lateral movement and blast radius.
  4. Build and rehearse downtime procedures, including pen-and-paper clinical workflows, so patient care continues when systems are offline.
  5. Scrutinize shared software and supply-chain dependencies, demanding security assurances from vendors of centralized platforms like HIS and monitoring them closely.
  6. Deploy and tune endpoint detection to flag Phobos-family behaviors such as credential brute-forcing, defense tampering, and rapid bulk file encryption.

Sources: How 100 Romanian hospitals switched to pen and paper after a devastating ransomware cyber-attack | World News - The Times of India