A coordinated ransomware campaign attributed to the LockBit 4.0 cybercriminal group has disrupted hospitals, power grids, and financial institutions across 12 countries in Europe and North America, with attackers demanding over $500 million in cryptocurrency to restore access to encrypted systems.
Scale of the Attack
The attack, which began in the early hours of Monday morning, has affected more than 400 organizations including three major hospital networks in Germany, two electricity distribution companies in France, and several regional banks in the United States and Canada. Emergency services in affected areas have been forced to revert to manual operations as IT systems remain offline.
"This is one of the most sophisticated and far-reaching ransomware campaigns we have ever observed," said Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA). "We are working around the clock with our international partners to contain the damage and restore critical services."
Attack Vector
Preliminary forensic analysis suggests the attackers exploited a zero-day vulnerability in a widely used industrial control system software, allowing them to move laterally across networks before deploying the ransomware payload. The vulnerability, now tracked as CVE-2025-31847, had not been previously disclosed and affected versions of the software dating back to 2019.
Government Response
The FBI, Europol, and the UK's National Cyber Security Centre have launched a joint investigation. Several governments have activated national cyber emergency protocols, and NATO's Cooperative Cyber Defence Centre of Excellence has convened an emergency session to coordinate the international response.
The United States Treasury Department has issued emergency guidance to financial institutions, urging them to isolate affected systems and report any ransom payment demands immediately. Paying ransoms to sanctioned entities remains illegal under U.S. law.
LockBit 4.0
LockBit 4.0 emerged earlier this year following law enforcement takedowns of previous iterations of the group. Security researchers believe the group operates out of Eastern Europe and has recruited former members of disbanded ransomware gangs including Conti and BlackMatter. The group is known for its ransomware-as-a-service model, which allows affiliates to deploy its malware in exchange for a percentage of ransom payments.
