A life-threatening individual has died after being forced to go to a more distant hospital due to a ransomware attack.
On September 10, the University Hospital Düsseldorf (UKD) in Germany suffered a ransomware attack after threats compromised its network with a software vulnerability in “commercial add-on software common on the market and used worldwide.” .
According to the German cybersecurity agency Bundesamt für Sicherheit in der Informationstechnik (BSI), the attackers exploited the Citrix ADC vulnerability CVE-2019-19781.
In this context, BSI points out that a vulnerability (CVE-2019-19781) known since January 2020 is exploited in Citrix for Cyber-Attacks VPN products”, BSI revealed. in a sentence.
Patches for the Citrix ADC vulnerability are available as of January 2020.
With their IT systems down, the hospital announced them that scheduled and outpatient treatments and emergency care cannot be performed in the hospital.
Instead, those seeking emergency care were redirected to more distant hospitals for treatment.
German media reports that the police contacted the ransomware operators via instructions in a ransom note, explaining that their target was a hospital.
The ransom notes that were left on the hospital’s encrypted servers were incorrectly addressed to Heinrich Heine University, rather than the hospital itself.
After the police contacted the threat actors and explained that they had encrypted a hospital, the ransomware operators removed the ransom note and provided a decryption key.
“The Düsseldorf police contacted and informed the perpetrators that a hospital, and not the university, had been targeted by their hacker attack. This puts patients at considerable risk. The perpetrators then removed the extortion and handed over a digital key with which the data can be decrypted again”, the German outlet NTV reported..
Since receiving the key, the hospital has slowly restored the systems and investigations have concluded that the data was probably not stolen.
The patient dies after being forced to go to another hospital
A life-threatening patient was redirected to a more distant hospital in Wuppertal after the Düsseldorf University Hospital deregistered the emergency services.
This interruption resulted in the patient receiving treatment an hour later, which may have caused her death.
Due to the patient’s death, German prosecutors are investigating whether this attack should be considered homicide.
Prosecutors have launched an investigation into the unknown perpetrators of the suspected manslaughter because a patient in a life-threatening condition who should have been taken to hospital on Friday night was sent to a hospital in Wuppertal, some 20 miles away. (20 miles). Doctors were unable to start treating her for an hour and she died,” AP News said. Relations.
Some ransomware claims they won’t attack healthcare
When the Coronavirus pandemic started, BleepingComputer contacted various ransomware operations to see if they would continue to target healthcare and medical organizations.
CLOP, DoppelPaymer, Maze, and Nefilim ransomware operators said they would not target hospitals, and if one was mistakenly encrypted, they would provide a free decryption key.
“We always try to avoid hospitals, nursing homes, if it’s any local government, we don’t always touch emergency health services (only occasionally possible or due to misconfiguration in their network). Not just now.” .
“If we do this by mistake, we will decrypt it for free,” DoppelPaymer ransomware operators told BleepingComputer.
Netwalker also claimed that they do not target hospitals, but stated that if they mistakenly encrypted one, the hospital would still have to pay the ransom.
“If someone is encrypted, they have to pay for the decryption,” Netwalker told BleepingComputer.
Still, after making these promises, we continue to see attackers targeting hospitals without concern for the health of their victims’ patients.
Update 09/18/20: Added information about the Citrix ADC vulnerability used in the attack.