Threat Watch

Ransomware Attack on German Hospital Leads to Fatality

An attack on the Duesseldorf University Clinic’s systems has led to what might be the first fatality indirectly resulting from a ransomware attack. Last Thursday, an unidentified hacker used a vulnerability in a “widely used commercial add-on software” to gain access to the hospital’s systems. Systems gradually began going offline and hospital personal were unable to access any information on the network. As a consequence of the attack, many procedures had to be canceled and some patients in need of emergency services had to be rerouted to other hospitals. This rerouting led to the death of a German woman who was unable to get to another hospital in time. A ransom note was left on the hospital’s servers with information on how to get in contact with the ransomware operators, but no demand was made. Police established contact with the ransomware operators, who thought that they were attacking Duesseldorf University and not a hospital. Once the operators were informed that they had endangered hospital patients, they withdrew their demands and provided a decryption key. The hospital’s IT staff have begun recovering the impacted servers to bring systems back online.

ANALYST NOTES

Cyber-criminals have varying moral codes, which can make dealing with them unpredictable. In this particular case the operators behind the ransomware likely realized that law enforcement agency efforts against them would be significantly greater because of the threat to life caused by their attack and felt it would help their reputation to fully cooperate with law enforcement. Their cooperation appears to have been a case of “too little, too late” given the fatality caused by the attack. It is important that all systems on a network be given the same level of scrutiny when assessing security. Even systems that seem to be least significant can provide criminals with a much-needed foothold onto a targeted system. For example, if Windows servers have not been patched up through the August 2020 security updates, an attacker who gains access to one workstation can leverage the CVE-2020-1472 (Zerologon) vulnerability to completely take over a domain. More information on this topic can be found at
https://www.yourvalley.net/stories/german-hospital-hacked-patient-taken-to-another-city-dies,188174