Lockbit Ransomware Disrupts Healthcare Systems at German KHO Network of Hospitals

Written by Mitchell Langley

December 29, 2023

Lockbit Ransomware Disrupts Healthcare Systems at German KHO Network of Hospitals

Katholische Hospitalvereinigung Ostwestfalen (KHO), a hospital network in Germany, has confirmed that the recent service disruptions experienced at three of its hospitals were a result of a Lockbit ransomware attack.

The KHO Hospital Cyberattack took place in the early morning of December 24, 2023, severely affecting the operational systems of the hospitals located in Bielefeld, Rheda-Wiedenbrück, and Herford, Germany.

“Unknown actors have gained access to the systems of the IT infrastructure of the hospitals and have encrypted data,” reads the announcement from the hospital.

“A first test showed that it is probably a cyberattack by Lockbit 3.0, the resolution time of which is currently unforeseeable.”

Reads the machine translated KHO statement

“For security reasons, all systems were shut down immediately upon discovery, and all necessary parties and institutions were informed.”  

KHO issues notification in response to Lockbit Ransomware attack
KHO issues notification in response to Lockbit Ransomware attack

The full extent of the damage caused by the incident is still uncertain at this time. However, in response to the Lockbit ransomware attack, KHO swiftly established a crisis team and initiated an analysis of the situation. Immediate measures were taken to block access to all systems. Fortunately, due to robust security systems, patient data remains accessible for ongoing treatment.

Dr. Jan Schlenker, Managing Director of KHO, reassured that patient care is being maintained, albeit with minor technical limitations. The hospitals are currently undergoing backup procedures to mitigate the impact of the attack. As a precautionary measure, the hospitals have temporarily suspended emergency care to prioritize security considerations.

KHO Network of Hospitals Germany

KHO, a hospital network in Germany, operates six facilities and employs 3,300 individuals.

Currently, investigations are underway to assess the extent of the damage caused by the cyberattack and determine if any data was stolen by the attackers.

The following three hospitals operated by KHO have been affected by the cyberattack:

  • Franziskus Hospital Bielefeld: This facility has 614 beds, ten specialized departments, and a staff of 390 doctors and healthcare professionals.
  • Sankt Vinzenz Hospital Rheda-Wiedenbrück: With 614 beds and five specialized departments, this hospital is supported by 200 doctors and staff members.
  • Mathilden Hospital Herford: This hospital has 614 beds, eight specialized departments, and a team of 230 doctors and staff.

As these hospitals play a crucial role in delivering healthcare services to their respective communities, any disruption to their IT systems can have severe consequences for individuals in urgent need of medical assistance.

KHO network of hospitals has clarified that patient treatment is continuing as usual within the impacted hospitals, and all clinic operations are accessible, albeit with some technical limitations. Essential patient information remains available through successful backup restoration.

However, emergency care is currently unavailable at the three affected hospitals. As a result, individuals in need of immediate medical attention are being redirected to other healthcare facilities, which may lead to critical delays in receiving necessary care.

The Lockbit ransomware gang has not included KHO Hospitals Network in their extortion portal on the dark web. Therefore, it remains unclear whether the cybercriminals have stolen patient data or other sensitive information during the attack. Investigations are ongoing to determine the extent of any potential data breach.

The Lockbit Ransomware

LockBit 3.0 is a ransomware developed by the LockBit ransomware group, which is currently one of the most active threat actors.

Also known as LockBit Black, this ransomware is now in its third iteration and is considered the most evasive version of all previous strains, a US Department of Justice report said.

According to CISA, LockBit Implements a ransomware-as-a-service model, where affiliates are recruited to conduct ransomware attacks using LockBit tools and infrastructure.

Due to the large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs).

The threat actors are said to have executed over 1,400 attacks against victims in the US and around the world, including Asia, Europe, and Africa.

The largest LockBit victims include: Boeing; the state-owned Industrial and Commercial Bank of China, known as ICBC; one of the Australia’s largest port operators, DP World Australia; Allen & Overy, and others.

How to Prevent Ransomware Attacks in Healthcare

  1. Maintain robust data backup protocols to safeguard critical patient information
  2. Regularly backup data to an offline or offsite location, ensuring data redundancy
  3. Test the backup and recovery systems to ensure their reliability and integrity
  4. Conduct regular employee training sessions to educate staff about ransomware risks, phishing emails, suspicious attachments, and social engineering techniques
  5. Deploy advanced endpoint security solutions such as antivirus software, firewalls, and intrusion detection systems across all devices.
  6. Regularly patch and update software to address vulnerabilities
  7. Implement access controls and privileged account management:
  8. Segment the network infrastructure to isolate critical systems and sensitive data.
  9. Regular vulnerability assessments and penetration testing:
  10. Conduct regular vulnerability assessments and penetration testing to identify weaknesses in the network and software infrastructure

Related Articles

Daixin Ransomware Claims Omni Hotels Cyberattack

Daixin Ransomware Claims Omni Hotels Cyberattack

The Daixin Team ransomware gang has taken responsibility for a recent cyberattack on Omni Hotels & Resorts and is currently issuing threats to publish sensitive customer information unless a ransom is paid. This development comes after the hotel chain experienced...

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!