Hospital

A person in a life-threatening condition passed away after being forced to go to a more distant hospital due to a ransomware attack.

On September 10th, the University Hospital Düsseldorf (UKD) in Germany suffered a ransomware attack after threat actors compromised their network a software vulnerability in "a commercial add-on software that is common in the market and used worldwide."

According to Germany's cybersecurity agency Bundesamt für Sicherheit in der Informationstechnik (BSI), the attackers exploited the Citrix ADC CVE-2019-19781 vulnerability.

"In this context, the BSI emphasizes that a vulnerability (CVE-2019-19781) that has been known since January 2020 in VPN products from Citrix for Cyber-Attacks being exploited," BSI revealed in a statement.

Patches for the Citrix ADC vulnerability have been available since January 2020.

With their IT systems disrupted, the hospital announced that planned and outpatient treatments and emergency care could not occur at the hospital.

Those seeking emergency care were instead redirected to more distant hospitals for treatment.

German media reports that the police contacted the ransomware operators via the ransom note instructions and explained that their target was a hospital.

The ransom notes left on the hospital's encrypted servers were incorrectly addressed to Heinrich Heine University, rather than the hospital itself.

After the police contacted the threat actors and explained that they encrypted a hospital, the ransomware operators withdrew the ransom demand and provided a decryption key.

"The Düsseldorf police then actually made contact and informed the perpetrators that a hospital - and not the university - was affected by their hacking attack. This puts patients at considerable risk. The perpetrators then withdrew the extortion and handed over a digital key with which the data can be decrypted again," German media NTV reported.

Since receiving the key, the hospital has slowly been restoring systems, and investigations concluded that data was likely not stolen.

Patient dies after forced to go to another hospital

A patient in a life-threatening condition was redirected to a more distant hospital in Wuppertal after University Hospital Düsseldorf deregistered its emergency services.

This disruption led to the patient receiving care an hour later, which may have led to her death.

Due to the patient's death, German prosecutors are investigating if this attack should be considered negligent manslaughter.

"Prosecutors launched an investigation against the unknown perpetrators on suspicion of negligent manslaughter because a patient in a life-threatening condition who was supposed to be taken to the hospital last Friday night was sent instead to a hospital in Wuppertal, a roughly 32-kilometer (20-mile) drive. Doctors weren’t able to start treating her for an hour and she died," AP news reports.

Some ransomware state they won't attack healthcare

At the beginning of the Coronavirus pandemic, BleepingComputer reached out to different ransomware operations to see if they would continue to attack healthcare and medical organizations.

The CLOP, DoppelPaymer, Maze, and Nefilim ransomware operators stated that they would not target hospitals, and if one was encrypted by mistake, they would provide a free decryption key.

"We always try to avoid hospitals, nursing homes, if it's some local gov - we always do not touch 911 (only occasionally is possible or due to missconfig in their network). Not only now."

"If we do it by mistake - we'll decrypt for free," the DoppelPaymer ransomware operators told BleepingComputer.

Netwalker also stated that they do not target hospitals, but said that if they encrypted one by accident, the hospital would still need to pay the ransom.

"If someone is encrypted, then he must pay for the decryption," Netwalker told BleepingComputer.

Even still, after making these promises, we continue to see attackers targeting hospitals without any concern for the health of their victim's patients.

Update 9/18/20: Added information about Citrix ADC vulnerability being used in the attack.

Related Articles:

The Week in Ransomware - March 1st 2024 - Healthcare under siege

Rhysida ransomware wants $3.6 million for children’s stolen data

Ransomware attack forces 100 Romanian hospitals to go offline

The Week in Ransomware - February 2nd 2024 - No honor among thieves

INC Ransom threatens to leak 3TB of NHS Scotland stolen data