Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label ToolShell. Show all posts
ToolShell
CERT Croatia phishing Ransomware RBI Research ToolShell

Croatia’s Largest Research Institute Hit by Ransomware in Global ToolShell Exploits




The Ruđer Bošković Institute (RBI) in Zagreb — Croatia’s biggest science and technology research center has confirmed it was one of thousands of organizations worldwide targeted in a massive cyberattack exploiting Microsoft SharePoint’s “ToolShell” security flaws.

The incident occurred on Thursday, July 31, 2025, and resulted in ransomware being installed on parts of the Institute’s internal network. According to RBI’s statement, the affected systems were linked to its administrative and support operations, with attackers encrypting documents and databases to block access.


Refusing to Pay the Hackers

Unlike some victims, RBI has stated it will not pay the ransom. Instead, the Institute plans to follow strict security protocols, restore affected systems from backups, and upgrade its infrastructure to meet modern cybersecurity standards.

Past reports indicate that ToolShell vulnerabilities have been used to spread two strains of ransomware — Warlock and 4L4MD4R but RBI has not yet confirmed which variant hit its systems.


Restoration Underway

Recovery work is ongoing, with some systems already back online. Email services were restored the Friday after the attack, and the Institute is slowly bringing other parts of its network back into operation. A completely new IT system is also being built to improve defenses and reduce future risks.

The response involves not just RBI’s internal team but also the Ministry of the Interior, Croatia’s national CERT, and other cybersecurity agencies. A detailed forensic investigation is still in progress.


Possible Data Exposure

It’s still unclear whether the attackers accessed personal information. Croatia’s Personal Data Protection Agency has been notified, and the Institute has pledged to act in line with GDPR rules if any breach of personal data is confirmed.

As a precaution, RBI’s data protection officer has already warned staff that some sensitive information, such as personal ID numbers, addresses, financial reimbursements, and other records may have been stolen. Employees were advised to stay alert for phishing emails pretending to be from the Institute or official authorities.


Part of a Global Problem

RBI is one of at least 9,000 institutions worldwide affected by attacks using the same ToolShell vulnerabilities. These flaws in Microsoft SharePoint have become a major cybercrime tool, enabling hackers to infiltrate networks, steal or lock data, and demand large ransom payments.

While the Institute continues its recovery, the attack is a reminder that even highly respected research organizations can be vulnerable, and that refusing to pay ransom demands can be both a security stance and a financial gamble.

Read more »
Subscribe to: Posts (Atom)