Ransomware infection in Czech University Hospital of Brno

[German]The university hospital of the Czech city of Brno (German: Brünn) is currently suffering from an attack by ransomware. The clinic runs one of the largest laboratories for testing for Covid-19 infections.


I already became aware of the case in our neighbouring country a few hours ago through a tweet from Catalin Cimpanu.

The ransomware infection started at 2 a.m. and was probably discovered on Friday, March 13, 2020 at 5 am. Peter Gramatik, a security researcher at Sucuri, happened to be a patient at this clinic and witnessed the whole thing. He was then sent home from the clinic and reported some details via email to ZDNet.

Catalin Cimpanu writes on ZDNet that the clinic had to shut down the entire IT network as a result of the infection. Two other branches of the hospital, the children's hospital and the maternity clinics, were also affected.

Gramatik informed ZDNet in his email that the hospital immediately made loudspeaker announcements to all staff, that all computers had to be shut down immediately for security reasons. This message was repeated as every 30 minutes. Then at about 8 a.m. all operations were cancelled by another public announcement over the hospital's public address system. Gramatik was then sent home.


Following the outbreak of the incident, teams from the Czech National Cyber Security Centre (NCSC), the Czech Police (NCOZ) and hospital IT staff are now working together on site to restore the hospital's IT network.

The incident is considered serious and will be treated with the utmost urgency as the University Hospital Brno is one of the largest COVID 19 testing laboratories in the Czech Republic. It is currently unclear whether laboratory activities regarding coronavirus testing have been/are affected by the cyber attack. So far the incident has not been officially confirmed by the clinic – which ransomware it is. This tweet states that the incident has been confirmed by the Prime Minister.

The article linked in the above tweet still contains some information. So the attack already started at 2am. The patients of the clinic were partly distributed to other hospitals in the city.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *