Croatian research institute targeted by ToolShell ransomware attack

The Ruđer Bošković Institute (RBI), the largest Croatian science and technology research institute, confirmed that it was among “at least 9,000 institutions worldwide” targeted by a ransomware attack exploiting Microsoft SharePoint “ToolShell” vulnerabilities on Thursday, July 31, 2025. The attack compromised part of the network related to the Institute’s administrative and professional services, resulting in the encryption of critical documents and databases. The Institute announced that it would not pay the ransom and would instead respond to the incident through professional and security protocols, focusing on careful upgrades and data restoration from backups. Reports indicate that the ToolShell vulnerabilities were used to deploy Warlock and 4L4MD4R ransomware.

Remediation efforts are currently underway, with the IT network system being gradually restored. The Institute’s email system was brought back online last Friday, and plans are in place to develop a new IT infrastructure that adheres to the latest cybersecurity standards. A forensic analysis of the incident is ongoing, supported by the Ministry of the Interior, the national CERT, and other Croatian cybersecurity institutions. The Croatian Personal Data Protection Agency has been informed, although it remains unclear if personal data was accessed. If it is determined that personal data was compromised, the Institute will take timely action in accordance with the GDPR. Employees have been alerted to the potential exfiltration of personal information and advised to remain vigilant against phishing attempts.