---
title: "How 100 Romanian hospitals beat a ransomware attack with pen and paper"
description: "When ransomware tore through the software linking more than 100 Romanian hospitals in early 2024, staff kept patients safe with a strikingly low-tech response: they unplugged from the internet and reached for pen and paper. Recent and backups, officials say, did the rest."
category: "Technology"
category_url: https://newsparlor.com/category/technology
author: "Chloe Bennett"
published: 2026-06-23T13:36:00.000Z
updated: 2026-06-23T13:36:00.000Z
canonical: https://newsparlor.com/article/how-100-romanian-hospitals-beat-a-ransomware-attack-with-pen-and-paper
tags: ["Romania", "ransomware", "cybersecurity", "hospitals", "healthcare", "backups"]
---
# How 100 Romanian hospitals beat a ransomware attack with pen and paper

When ransomware tore through the software linking more than 100 Romanian hospitals in early 2024, staff kept patients safe with a strikingly low-tech response: they unplugged from the internet and reached for pen and paper. Recent and backups, officials say, did the rest.

When the screens went dark across Romanian hospital wards in February 2024, the response that kept patients safe was not a software patch. It was a notebook.

Over a span of days, more than 100 hospitals connected to a widely used Romanian medical platform were pulled offline to contain a ransomware outbreak, according to the country's [National Cyber Security Directorate](https://www.dnsc.ro/vezi/document/alert-backmydata-ransomware-eng-pdf) (DNSC) and security researchers. The episode, revisited in recent reporting, has since been held up as a case study in old-fashioned resilience.

## What happened

The attack hit the Hipocrate Information System, software used to manage admissions, prescriptions, lab results and other hospital records. Investigators traced the intrusion to ransomware known as BackMyData, a variant of the Phobos family, which [BleepingComputer](https://www.bleepingcomputer.com/news/security/ransomware-attack-forces-100-romanian-hospitals-to-go-offline/) reported was deployed against the platform's servers in mid-February.

Accounts of the exact toll vary slightly. The DNSC and BleepingComputer described around 25 hospitals as having data encrypted, with roughly 75 more taking their systems offline as a precaution — a total of about 100 facilities, including cancer and pediatric centres, according to [CPO Magazine](https://www.cpomagazine.com/cyber-security/ransomware-attack-disrupts-over-100-romanian-hospitals-including-cancer-and-pediatric-centers/). The attackers demanded a ransom of 3.5 bitcoin, worth roughly €157,000 at the time, in exchange for a decryption key. Romanian authorities declined to pay.

## Going back to paper

With the central system frozen, the workaround was deliberately analogue. Rather than risk the malware spreading, hospitals severed their internet connections — a move investigators credited with stopping the attack from going further.

Clinical staff then improvised. Doctors devised an offline method to register patients by hand, laboratories returned test results on paper, and teams turned to standalone tools such as spreadsheets to keep care moving. Staff "worked mostly on paper," recording admissions, prescriptions and test recommendations by hand, in a return to pre-digital routine, according to BleepingComputer. The trade-off was real: some information captured only on paper during those days was not later digitised.

## Why recovery was fast

The single biggest factor in the recovery, officials said, was backups. The DNSC found that most affected hospitals held copies of their data saved relatively recently — typically one to three days old — with one outlier whose backup was around 12 days old. That allowed most facilities to rebuild their systems within days rather than capitulating to the ransom demand.

## The wider warning

Romanian officials framed the incident as a sign of risks that grow alongside digitisation. Security researchers note that healthcare is a recurring target precisely because lives are at stake: the more disruption attackers cause, the more likely victims are to pay. Romania's hospitals, this time, chose a different answer — to write it all down, and to have the backups ready when the systems came back online.

## Sources

- [Ransomware attack forces 100 Romanian hospitals to go offline](https://www.bleepingcomputer.com/news/security/ransomware-attack-forces-100-romanian-hospitals-to-go-offline/)
- [BackMyData Ransomware Alert](https://www.dnsc.ro/vezi/document/alert-backmydata-ransomware-eng-pdf)
- [Ransomware Attack Disrupts Over 100 Romanian Hospitals](https://www.cpomagazine.com/cyber-security/ransomware-attack-disrupts-over-100-romanian-hospitals-including-cancer-and-pediatric-centers/)

