German authorities probe ransomware hospital death

German authorities are investigating the death of a woman in the wake of a failed ransomware attack on a Düsseldorf hospital that disrupted its IT systems and forced the closure of its accident and emergency department. The unnamed patient died in transit to a nearby facility in Wuppertal.

The fatal incident – thought to be the first ransomware attack to result in a death – unfolded on 10 September and affected about 30 servers at University Hospital Düsseldorf (UKD), which was forced to cancel hundreds of operations and other procedures. More than a week later, many of its systems remain offline.

The cyber criminals behind the attack left a ransom demand, but in what may be a case of mistaken identity, it was addressed to a different institution, Henrich Heine University. According to reports in the German media, when contacted by police, those responsible subsequently withdrew their ransom demand and handed over the decryption keys without a fuss.

As of 18 September, UKD remains closed to emergency patients pending a resumption of service. According to UKD commercial director Ekkehard Zimmer, this is due to the size of the hospital’s IT system and the volume of data impacted.

“We cannot yet estimate when this process will be completed,” said Zimmer. “However, we are confident that we will be able to better estimate the timespan in the next few days and then be there for our patients again, step by step.”

UKD medical director Frank Schneider added: “UKD and the specialist companies involved were able to make further progress in restoring the IT system. As things stand today, we expect that we will be able to resume emergency care within the next week.”

The investigation into the incident appears to indicate that it came about as a result of the now infamous CVE-2019-19781 Citrix vulnerability, a directory traversal vulnerability affecting Citrix ADC, Gateway and SD-WAN WANOP products.

UKD said it had followed recommendations from the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI) about this vulnerability when it was first disclosed in late 2019, and patched its systems immediately a fix became available.

Also, it said, an independent penetration test conducted in the past few months showed no signs of any intrusion. This would seem to suggest that those responsible accessed its systems almost a year ago and had been lying in wait since then.

BSI president Arne Schönbohm said: “We warned of the vulnerability back in January and pointed out the consequences of its exploitation. Attackers gain access to internal networks and systems and can paralyse them months later. I can only urge you not to ignore or postpone such warnings, but to take appropriate action immediately.”

Commenting on the incident, Tripwire vice-president Tim Erlin said: “When cyber attacks impact critical systems, there can be real-world consequences. We are not used to thinking of cyber attacks in terms of life and death, but that was the case here. Delays in treatment, regardless of the cause, can be life-threatening.

“Ransomware doesn’t just suddenly appear on systems. It has to get there through exploited vulnerabilities, phishing, or other means. While we tend to focus on the ransomware itself, the best way to avoid becoming a victim is to prevent the infection in the first place. And the best way to prevent ransomware infections is to address the infection vectors by patching vulnerabilities, ensuring systems are configured securely, and preventing phishing.”