German hospital ransomware attack (2020)
|Date||Ransomware was first spotted on 10 September 2020, but it launched the encryption process most likely a day before, on 9 September (or even earlier).  Decryption of data started on 11 September and took nearly two weeks, during which the hospital’s system remained non-functional.|
|Suspected actor||The attackers remain unknown; however, the German prosecutor indicated the choice of deployed ransomware – Doppelpaymer – links the attack to Russian groups without detailed indication.|
|Target||Ransomware disabled the Düsseldorf University Hospital by compromising its infrastructure. However, the course of the attack showed the hospital might not be its primary target and had been executed by mistake.  The blackmail note within one of the compromised servers was addressed to Heinrich Heine University, requesting the university to contact the perpetrators to discuss the ransom. This university is affiliated with the hospital but is not the hospital itself.  Once the police contacted the attacker to inform them that they were targeting the hospital and not the university, the extortion attempt was withdrawn, and the decryption key was provided immediately. |
|Target systems||A vulnerability in a virtual private network (VPN) software by Citrix.|
|Method||The attackers used a vulnerability in a VPN software known since January 2020 and deployed ransomware called Doppelpaymer.  Firstly, the Düsseldorf hospital was accused of failing to update its systems.   However, the hospital insisted it had completed the patch of this vulnerability as soon it was released, so the ransomware loader could have been installed before the update, waiting in the systems for months before its execution. |
|Purpose||Most likely ransom. One compromised server included a note addressed to Heinrich Heine University, requesting the institution to get in touch. The payment amount to obtain the decryption key was not specified. Once the German police informed the attackers that they were targeting a hospital, the encryption key was provided without further requesting a ransom. After that, the communication was cut, and the perpetrators disappeared. The New York Times reminded that such a development in ransomware attack had not been seen before since hospitals are a frequent target of cyber attacks – especially ransomware – because they are most likely to pay the ransom not to endanger the provided healthcare.|
|Result||In total, 30 servers had been corrupted. The ransomware compromised infrastructure providing coordination of medical staff, beds, treatment, as well as communication networks like e-mail service. Due to this impact, the hospital was forced to cancel hundreds of operations and scheduled procedures and stopped the admissions of new patients. Redirection of patients in emergency conditions is also why is this ransomware attack known worldwide; on 11 September 2020, a woman suffering from an aortic aneurysm could not be accepted by the Düsseldorf University Hospital and had to be taken into the Helios University Hospital in Wuppertal 32 kilometres away. The patient died shortly after her arrival. 
The decryption process was carried out by the Federal Office for Information Security, Germany’s cyber security agency.  The hospital could still offer treatment only up to fifty per cent of its usual capacity during it. 
|Aftermath||Following the death of a woman who had to be taken into the distant hospital because of the attack, the German prosecutor’s office initiated a death investigation pursuing hackers of negligent homicide (killing a person through negligence or without malice).   Several media speculated whether this could be the first victim of a cyber attack.   Nevertheless, the two-month-long investigation concluded the patient was so ill she “likely would have died anyway“ ; hence the ransomware attack is involved but not to blame despite the delay in provided healthcare.
The attack once again shows how hospitals are vulnerable to cyber attacks. According to Moody’s Investors Service Report (bond credit ratings), from May 2021, the healthcare sector grew more vulnerable due to non-clinical employees working from home during the COVID-19 pandemic.  The report states that employees in the home office can increase the number of access points into the networks, for example, by more frequent phishing attempts. Similar results can be found in the Ponemon Institute Report from September 2021, whose findings say ransomware attacks during the pandemic impacted the safety of patients, data and care availability. 
To fight this on the European Union level, the Commission proposes an update of the Network and Information Security directive  that would require industries – including healthcare – to increase their cyber defences. 
|Analysed in||Scenario 20: Cyber operations against medical facilities; Scenario 14: Ransomware campaign|
Collected by: Michaela Prucková
- W Ralston, “The untold story of a cyberattack, a hospital and a dying woman”, 11 November 2020, Wired.
- P H O’Neill, “A patient has died after ransomware hackers hit a German hospital”, 18 September 2020, MIT Technology Review.
- J Tidy, “Police launch homicide inquiry after German hospital hack”, 18 September 2020, BBC.
- AFP, “German experts see Russian link in deadly hospital cyber attack”, 22 September 2020, The Local DE.
- DPAT/RTL.de, “Tödlicher Hackerangriff auf die Uniklinik Düsseldorf?“, 17 September 2020, RTL News.
- M Miliard, “Hospital ransomware attack leads to fatality after causing delay in care“, 17 September 2020, Healthcare IT News.
- M Eddy and N Perlroth, “Cyber Attack Suspected in German Woman’s Death”, 18 September 2020, The New York Times.
- Reuters, “Prosecutors open homicide case after cyber-attack on German hospital“, 18 September 2020, The Guardian.
- AP/AFP, “German police probe ‘negligent homicide’ in hospital cyberattack“, 18 September 2020, DW.
- P H O’Neill, “Ransomware did not kill a German hospital patient”, 12 November 2020, MIT Technology Review.
- CENSINET, “Ponemon Research Report: The Impact of Ransomware on Healthcare During COVID-19 and Beyond”, September 2021.
- European Parliament, “2020/0359 (COD) A high common level of cybersecurity”.
- P Haeck, “‘It’s getting worse’: Irish hospital hack exposes EU cyberattack vulnerability“, 13 March 2021, Politico.