Ransomware is a killer in the cybersecurity world. It turns out that it’s a killer in the real world too. A female patient in a German hospital died recently after a ransomware attack paralyzed the facility. The woman was rushed to another city for treatment since the hospital couldn’t provide care.
It appears to be the first case of ransomware playing a role in someone’s death—even though it was indirect. German authorities are now reportedly investigating hackers for negligent manslaughter. This case could set a precedent for future cybercrime investigations as hospitals are increasingly targeted by hackers.
Last Thursday, a ransomware attack hit the IT systems of the Duesseldorf University Clinic. It crippled the facility’s access to data, forcing it to temporarily suspend all operations. Patients in need of critical care were directed to other facilities.
The patient who died was reportedly rushed to another hospital 20 miles away, delaying her treatment by about an hour. Ultimately, that delay resulted in her death. Although it’s impossible to say whether she would have lived with treatment at the Duesseldorf hospital, her odds would have been better.
As if the circumstances of the ransomware attack aren’t tragic enough, reports show that it could have been prevented. Hospital investigators pointed to a vulnerability in “widely used commercial add-on software.”
Although it didn’t name the program specifically, evidence suggests that the Citrix application delivery controller was likely the target of the hack. Just one day before the attack, the German cybersecurity agency BSI sent out a warning to German companies urging them to update their Citrix network gateways. They mentioned that ransomware hackers were targeting a critical vulnerability called CVE-2019-19781. Whether or not that specific flaw was exploited in the attack remains unclear. However, it is very likely.
In the United States, the same vulnerability was the subject of an alert sent out by the Cybersecurity and Infrastructure Security Agency, a division of the Department of Homeland Security. The agency warned that it is one of several known issues being used by Beijing-based hackers to exploit video game and software makers.
What Comes Next?
At this point, it doesn’t appear that the hackers had life-and-death intentions when they started the ransomware attack. In fact, it’s not clear what they wanted at all.
Moreover, no data seems to have been stolen from the hospital’s network. This makes the circumstances of the hack very strange. Experts believe that the hospital may not have been the intended target of the ransomware siege.
A note left by the hackers on one of the affected servers supports that theory. It is addressed to Heinrich Heine University. Notably, the university is an affiliate of the Duesseldorf clinic. One could conclude that the hackers were trying to attack the university and instead infiltrated the hospital’s network.
Once the hackers were told that they had missed their target and were endangering patients, they immediately provided a decryption key to unlock the crippled servers. Regardless, those responsible for the attack now have blood on their hands.
According to the latest reports, authorities have lost contact with those responsible. It will be very interesting to see how this case is handled. Authorities may want to make an example of these hackers to try and dissuade others from targeting hospitals with their malware.