Cyber Attacks: IT Paralyzed, Operations Partially Restricted

In recent days, several high-profile ransomware attacks have shaken public institutions across Europe. The University of Duisburg-Essen, the Austrian Press Agency (APA), and Klinikum Lippe have all fallen victim. Despite these incidents, all three continue their operations — in some cases with restrictions — while investigations are ongoing. Although the perpetrators have not yet been publicly identified, the similarities in method and impact strongly suggest a coordinated ransomware campaign currently active in the DACH region.

Case 1: University of Duisburg-Essen

Following a cyberattack over the weekend, IT administrators at the North Rhine-Westphalian university were forced to shut down all internal systems to assess the damage. According to the University’s Press Department, “after an initial assessment, all Microsoft Office applications, internal administration tools, and email systems are affected. The telephone network is also unavailable.”

Preliminary findings indicate that the attackers infiltrated the internal infrastructure, encrypted large portions of data, and demanded a ransom. The university management immediately notified the security authorities, filed a criminal complaint, and engaged external forensic experts to assist with the investigation. While classroom teaching continues as usual, administrative processes for students are significantly delayed. A full restoration of services is not yet foreseeable.

Case 2: Austrian Press Agency (APA)

On Saturday, November 26, 2022, the IT systems of the Austrian Press Agency fell victim to a ransomware attack. The affected systems were immediately isolated and a recovery plan was activated. Despite the incident, the production of news and the operation of customer systems remained unaffected at all times. The APA management reported the incident to the authorities, and investigations are currently ongoing.

According to APA’s official statement: “As a company, we are prepared for such a scenario and immediately set up a crisis management team and a team of internal and external IT and forensic experts who are investigating the incident and working flat out to fix it. As an immediate measure, the affected systems have been isolated and safe recovery has been initiated.”

Case 3: Klinikum Lippe

At the beginning of last week, Klinikum Lippe reported a massive hacker attack that partially paralyzed IT systems at all three of its locations in Detmold, Lemgo, and Bad Salzuflen. According to the hospital’s statement, the attack was detected by internal monitoring systems and immediately countered with the help of external cybersecurity specialists and the State Criminal Police Office.

The IT department is currently working on rebuilding all systems from scratch. Until further notice, the clinics can only be contacted by telephone or fax. Several digital processes, such as meal orders and internal communication, have been temporarily reverted to analog methods. Patient care, however, remains fully guaranteed. Hospital operations continue, albeit under restricted conditions.

Staying Resilient Against Cyber Threats

These incidents clearly demonstrate how vulnerable even well-prepared institutions are to modern ransomware attacks. A single weak point in IT security can have far-reaching consequences, especially in critical infrastructures such as education, media, and healthcare. Robust cybersecurity concepts, reliable backup systems, and tested incident response procedures are essential to minimize damage and downtime.

Organizations should regularly review their cloud security architecture, implement Zero Trust principles, and consider solutions such as cProtect by centron to ensure continuous availability and resilience in the event of a cyberattack.

FAQ Cyber Threats

What is ransomware and how does it typically spread?

Ransomware is malware that encrypts files or systems and demands payment for decryption. It commonly spreads via phishing emails, exploited vulnerabilities, compromised credentials, or infected software updates.

How can we reduce the likelihood of a successful ransomware attack?

Harden identities (MFA, least privilege), patch promptly, restrict remote access, segment networks, filter email and web traffic, and enforce application allow-listing. Train staff to spot phishing.

What immediate steps should we take after detecting ransomware?

Isolate affected systems, preserve logs, activate the incident response plan, notify stakeholders, and begin recovery from known-good backups. Avoid deleting evidence needed for forensics.

What is the shared responsibility model in the cloud context?

Providers secure the cloud infrastructure; customers secure identities, configurations, data, and workloads. Misconfigurations remain the customer’s risk and must be monitored continuously.

How do backups help—and which backup strategy works best?

Use immutable, versioned backups with the 3-2-1 rule (3 copies, 2 media, 1 off-site). Test restores regularly and define RPO/RTO objectives to ensure timely recovery.

What is Zero Trust and why does it matter here?

Zero Trust requires continuous verification of users, devices, and workloads. It limits lateral movement by enforcing least privilege, strong authentication, and context-aware access.

How do we ensure recovery won’t reintroduce malware?

Scan backups before restore, stage in a quarantined environment, and re-issue credentials. Validate integrity with checksums and only promote clean systems to production.

Does centron offer measures that support ransomware resilience?

Yes. With solutions like cProtect, you can use continuous replication, failover, and immutable snapshots in ISO 27001-certified data centers to meet strict RPO/RTO targets.