One after another the calls came in from hospitals; criminals were infecting computer networks in a mass hack that was putting countless lives at risk.
At Bucharest's national cyber-security centre (DNSC) they watched helplessly as the hackers spread across Romania through a popular piece of medical software.
Cyber-chief Dan Cimpean had a tough decision to make, but it was the only option they had.
The order went out to more than 100 hospitals. Disconnect from the internet, now.
The cyber-attack on Romania's hospitals in February 2024 is one of the worst to target healthcare systems around the world, but these incidents are becoming increasingly common.
Healthcare is now the most targeted area of critical national infrastructure, the FBI has said recently.
Cutting off 100 hospitals in Romania from the internet stopped the hackers in their tracks, buying time to work out how bad the attack was.
But it meant no connected devices, emails or web browsers.
Medical staff had to switch to pen and paper, improvising workarounds to protect patients while IT teams scrambled and the national cyber response centre tried to find out how the hackers had got in - and how they could stop them.
Their actions over four days from 10 February 2024, and those of the doctors and nurses, have been widely praised.
How they reacted and how they coped has become a test case for disaster planners internationally, as officials look for advice on responding to a mass hospital hack.
Surgeon Oana Goidescu was on shift at Buzău Hospital, 120km (75 miles) north-east of Bucharest, when the alert came that attackers had breached Bucharest-based software firm RSC, burrowing into a widely used medical system called Hippocrates.
"It was quite an unpleasant experience, because an IT record is not just a list of patients," she said. "For each patient, we request lab tests, radiology, medicines and supplies. All of that was gone."
Hippocrates is used by doctors, nurses and surgeons to manage everything from admissions to payroll, pharmacy logistics and test results.
Quietly, the cyber-attackers had begun infecting hospitals across the country that used the system with a ransomware strain called BackMyData. Files were being scrambled into gibberish and the demand was a ransom in bitcoin.
Staff at Pitești children's hospital, north-west of Bucharest, were the first to notice errors on Sunday morning, the day after the attack had begun.
By dawn on Monday, many other hospitals had reported the Hippocrates system was down.
With hospitals offline, the cyber-experts worked closely with the Hippocrates maker to work out how many systems had been infected and kick the hackers out.
Hospital doctors responded by creating workarounds to protect patients until things were back online.
"When we saw the system would not be repaired quickly, we developed an offline method so we could register every patient," said Vlad Paic from Carol Davila Hospital in Bucharest.
"We asked the laboratory to give us results on paper. We used Excel and other offline tools to ensure care was not affected."
Some doctors said the fallback to more analogue processes was helped by Romania's relatively recent shift to digital systems.
Cyber-investigators worked through the night and found 26 hospitals had been infected with BackMyData.
