Ransomware attack at German hospital leads to death of patient

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
A person in a life-threatening condition passed away after being forced to go to a more distant hospital due to a ransomware attack.

On September 10th, the Duesseldorf University hospital in Germany suffered a ransomware attack after threat actors exploited a software vulnerability in "a commercial add-on software that is common in the market and used worldwide."

With their IT systems disrupted, the hospital announced that planned and outpatient treatments and emergency care could not occur at the hospital.

Those seeking emergency care were instead redirected to more distant hospitals for treatment.

German media reports that the police contacted the ransomware operators via the ransom note instructions and explained that their target was a hospital.

The ransom notes left on the hospital's encrypted servers were incorrectly addressed to Heinrich Heine University, rather than the hospital itself.

After the police contacted the threat actors and explained that they encrypted a hospital, the ransomware operators withdrew the ransom demand and provided a decryption key.

"The Düsseldorf police then actually made contact and informed the perpetrators that a hospital - and not the university - was affected by their hacking attack. This puts patients at considerable risk. The perpetrators then withdrew the extortion and handed over a digital key with which the data can be decrypted again," German media NTV reported.

Since receiving the key, the hospital has slowly been restoring systems, and investigations concluded that data was likely not stolen.

Patient dies after forced to go to another hospital
NTV reports that a patient in a life-threatening condition was redirected to a more distant hospital after Duesseldorf University hospital deregistered its emergency services.

This disruption led to the patient receiving care an hour later, which may have led to their death.

Due to the death of the patient, German prosecutors are investigating this attack as a negligent manslaughter.

"Prosecutors launched an investigation against the unknown perpetrators on suspicion of negligent manslaughter because a patient in a life-threatening condition who was supposed to be taken to the hospital last Friday night was sent instead to a hospital in Wuppertal, a roughly 32-kilometer (20-mile) drive. Doctors weren’t able to start treating her for an hour and she died," AP news reports.
Read the full story at Bleeping Computer here:
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
"Prosecutors launched an investigation against the unknown perpetrators on suspicion of negligent manslaughter because a patient in a life-threatening condition who was supposed to be taken to the hospital last Friday night was sent instead to a hospital in Wuppertal, a roughly 32-kilometer (20-mile) drive. Doctors weren’t able to start treating her for an hour and she died," AP news reports.
Only manslaughter?
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
To be blunt, I'm surprised this didn't happen earlier and more often. Now that hospital will probably face a lawsuit from the dead lady's family, on top of everything else.

Meanwhile, the ransomware operator, culpable of homicide, has probably gone into deep hiding. Likely is of non-Western origin, they hate the West as it is and often reference the sub-par security practices in place. "Hey it's their fault, we are teaching them a valuable lesson. "
 

jogs

Level 22
Verified
Top Poster
Well-known
Nov 19, 2012
1,112
Hospital equipment should never be connected to the internet. Governments around the world should frame policies regarding this.
If information has to be shared with different departments in the hospital itself then they should have a closed network for this.
And for those equipment that need internet like for billing etc they should be on a different network.
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Cyber attack on University Hospital Düsseldorf: BSI warns of acute exploitation of known vulnerabilities
....
In this context, the BSI emphasizes that a vulnerability (CVE-2019-19781) known since December 2019 in VPN products from Citrix for Cyber-Attacks being exploited. The BSI is increasingly aware of incidents in which Citrix systems were compromised before the security updates that were made available in January 2020 were installed. This means that attackers still have access to the system and the networks behind it even after the security gap has been closed. This possibility is currently being increasingly used to carry out attacks on affected organizations.
The official response in German:
 

Freki123

Level 15
Verified
Top Poster
Aug 10, 2013
737
To be blunt if I have a job where it's life or death I would expect them to fund the IT well. A "we haven't had time/money to look for possible backdoors" just doesn't cut it (looking at the person funding the IT/management). They had from january till now to look and nada....
They say they had 2 specialized company's checking theire systems and a pentest later... // Atleast thats how I understand it
 
Last edited:

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Enough is enough: Woman’s death highlights the need for a ban on ransom payments:
The ransomware crisis
At the end of 2019, we stated the ransomware threat had reached a crisis level. Since then, the situation has only worsened, with attacks on healthcare and other public and private sector organization continuing and escalating during the course of the pandemic. Even a ventilator manufacturer was attacked.

Compounding the problem is the fact that more and more groups have started to steal data and using the threat of releasing it as additional leverage to extort payment. Data is now stolen in about 1 in 4 attacks, resulting in very sensitive information falling into the hands of cybercriminals and subsequently being posted online.

Additionally, the average demand has increased significantly and now stands at somewhere between $150,000 and $250,000 USD, with multi-million dollar demands becoming increasingly commonplace. The highest demand publicly reported is $42 million; the highest demand not to be publicly reported is said to be in excess of $1 billion. For context, the average demand in 2018 was a little over $5,000. As a result of this increase, cybercriminals are better resourced and more motivated than ever.

We estimate that more than $25 billion will be paid in ransom demands during 2020, with an economic toll on the global economy of almost $170 billion – and these are extremely conservative estimates.

So far this year, at least 219 organizations in the US government, education and healthcare sectors – including multiple hospitals – have fallen victim to ransomware attacks and, in an increasing number of those incidents, sensitive data is being stolen and published online. Globally, there have been more than 170,000 successful attacks in 2020.

The impact of these attacks was significant.
  • Personal information was exposed.
  • Protected health information was exposed.
  • Intellectual property was lost.
  • Data was stolen from companies in the US Defense Industrial Base sector, including a contractor that supports the Minuteman III nuclear deterrent.
  • Companies were forced into insolvency.
  • Healthcare providers and other organizations were hit with class-action lawsuits.
  • Sensitive information relating to child abuse cases and veterans’ PTSD claims was posted online.
  • Sensitive information relating to ongoing police investigations was posted online.
  • Prosecutions were dropped due to evidence being lost.
  • Emergency patients were turned away from hospitals, medical records were inaccessible and in some cases permanently lost, surgical procedures were canceled, tests postponed and 911 services interrupted.
In short, these incidents represent a risk to national security, to election security, to companies’ intellectual property and financial security, to individuals’ personal information and to their health, safety and wellbeing.
Read the rest of this article on Emsisoft's blog here:
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top