On Thursday, July 31, 2025, the Ruđer Bošković Institute (RBI), Croatia’s largest science and technology research institute, became one of over 9,000 institutions worldwide to fall victim to a widespread cyberattack. The attack leveraged a set of newly discovered and actively exploited vulnerabilities in Microsoft SharePoint, collectively known as “ToolShell,” to deploy ransomware. This incident affected a portion of the institute’s network that supports its administrative and professional services, resulting in the encryption of numerous documents and databases. The attack highlights the severe risk posed by unpatched vulnerabilities, especially when they are part of a coordinated, global campaign.
In the wake of the attack, the RBI has taken a firm stance, publicly stating it will not pay the ransom demanded by the attackers. Instead, the institute is focusing on a multi-pronged recovery strategy. This includes a full-scale restoration of its encrypted data using secure backups, a process which is currently underway. The institute’s email system, for instance, was brought back online last Friday. This approach aligns with expert advice to not give in to ransomware demands, as paying does not guarantee data recovery and can incentivize future attacks.
Beyond data restoration, the RBI is also undertaking a significant overhaul of its entire IT infrastructure. The institute announced its plan to build a new system that adheres to the latest cybersecurity standards, a move intended to prevent similar incidents in the future. This proactive measure demonstrates a commitment to long-term security and resilience. The incident is also under forensic analysis with the assistance of Croatian authorities, including the Ministry of the Interior and the national CERT, to understand the full scope of the breach and identify the attackers’ methods.
While the primary impact has been on the institute’s administrative functions, a key concern remains the potential exfiltration of personal data. The institute has notified the Croatian Personal Data Protection Agency about the incident. Although it is not yet confirmed whether personal information was accessed, the institute’s data protection officer has proactively warned employees that their personal identification numbers, addresses, and other related data may have been compromised. Employees have been advised to be vigilant against potential phishing attempts that could impersonate the institute or other relevant authorities.
This attack on the RBI is part of a larger trend of cybercriminals exploiting sophisticated vulnerabilities to target high-value institutions. Previous reports indicate that the “ToolShell” vulnerabilities have been used to deploy Warlock and 4L4MD4R ransomware. The scale of the attack—affecting thousands of organizations globally—underscores the urgent need for robust cybersecurity measures and timely application of patches. The RBI’s response, from refusing to pay the ransom to rebuilding its infrastructure, serves as a case study for how institutions can navigate and recover from a major cyber incident.
Reference:
