Benešov Hospital Ryuk ransomware attack
An Emotet–TrickBot–Ryuk malware chain crippled the Rudolf and Stefanie Hospital in Benešov, Czech Republic, knocking out X-ray, ultrasound, and laboratory systems and paralysing the facility for weeks. The hospital did not pay the ransom and reported no patient-record loss.
- Victim
- Rudolf and Stefanie Hospital, Benešov
On 11 December 2019, the Rudolf and Stefanie Hospital in Benešov, a mid-sized facility in the Central Bohemian Region of the Czech Republic, was struck by a Ryuk ransomware attack delivered through the now-classic Emotet–TrickBot–Ryuk infection chain. The attack paralysed the hospital for weeks and became a landmark study in Czech healthcare cybersecurity.
What happened
The intrusion followed the modular pattern that defined ransomware campaigns of the period: Emotet established the initial foothold (typically via a malicious email attachment), pulled down the TrickBot banking trojan to harvest credentials and map the network, and finally deployed Ryuk to encrypt systems across the hospital. The combination meant that by the time encryption began, the attackers had already moved laterally through the environment.
The encryption knocked out access to X-ray, ultrasound, and laboratory instruments, and severed the hospital's ability to exchange information with other hospitals — a critical capability for patient referrals and continuity of care.
Impact
- The hospital was paralysed for weeks, operating in a degraded, partly manual mode while systems were rebuilt.
- Core diagnostic equipment (imaging and lab systems) was rendered unusable, directly affecting clinical workflows.
- The regional governor stated the hospital did not pay any ransom and that it had not lost significant data, explicitly ruling out a leak of patients' health records.
- Recovery required extensive remediation rather than decryption.
Significance
Researchers later documented Benešov as a case in which even a relatively well-managed mid-size hospital with a reasonable cybersecurity posture could still be severely disrupted by a determined commodity-ransomware chain. The incident exposed how dependent modern clinical operations are on networked diagnostic systems, and how a single email-borne infection can cascade into a hospital-wide outage.
Coming only three months before the Brno University Hospital attack, Benešov was the opening act in a wave of ransomware against Czech healthcare that pushed the National Cyber and Information Security Agency (NÚKIB) to issue sector-wide warnings.
Why it matters
Benešov demonstrated that the Emotet–TrickBot–Ryuk model — financially motivated, opportunistic, and highly effective — posed an existential operational threat to hospitals regardless of whether a ransom was paid. By refusing to pay and still recovering, Benešov reinforced the value of resilient backups and segmentation, while its weeks-long disruption underscored that prevention, not recovery alone, must be the priority for healthcare providers.
Timeline
An Emotet–TrickBot–Ryuk malware chain detonates at the Rudolf and Stefanie Hospital in Benešov, encrypting systems.
Staff lose access to X-ray, ultrasound, and laboratory instruments and can no longer exchange information with other hospitals.
The hospital declines to pay the ransom; the regional governor states no ransom was paid and rules out a leak of patient health records.
The facility operates in a degraded mode for weeks while systems are rebuilt and restored.
The case becomes a reference point as further attacks, including Brno University Hospital, hit Czech healthcare.
Sources
- english.radio.czhttps://english.radio.cz/russian-crypto-ransomware-virus-behind-attack-benesov-hospital-8110504
- link.springer.comhttps://link.springer.com/chapter/10.1007/978-3-030-88907-4_18
- researchgate.nethttps://www.researchgate.net/publication/353480102_THE_CYBERSECURITY_OF_HEALTHCARE_The_Case_of_the_Benesov_Hospital_Hit_by_Ryuk_Ransomware_and_Lessons_Learned