The Ruđer Bošković Institute (RBI), the largest Croatian science and technology research institution, said it was among at least 9,000 organizations worldwide hit by ransomware that exploited Microsoft SharePoint ToolShell vulnerabilities.
The attack on July 31, 2025 encrypted documents and databases within parts of the RBI’s network that support administrative and professional services, the institute said in a statement on Monday. RBI added that it does not intend to pay the ransom and will pursue restoration through professional security protocols and backups.
Remediation is underway as the RBI gradually brings its IT network back online, with its email system restored last Friday. The institute is pursuing a complete rebuild of its IT infrastructure to align with the latest cybersecurity standards. A forensic analysis is ongoing with the help of the Ministry of the Interior, the national CERT and other Croatian cybersecurity bodies.
Earlier reporting indicated that ToolShell vulnerabilities have been exploited to deploy the Warlock and 4L4MD4R ransomware variants. The Croatian Personal Data Protection Agency has been informed, and investigators have not yet determined whether personal information was accessed. If it is determined that personal data was exposed, the RBI will act in accordance with GDPR requirements. Staff were warned that personal data – including identification numbers and payroll information – could have been exfiltrated and that employees should be vigilant for phishing attempts impersonating the RBI or authorities.