German hospital ransomware attack (2020): Difference between revisions
Jump to navigation
Jump to search
Content added Content deleted
(Created blank page) |
No edit summary |
||
| Line 1: | Line 1: | ||
{| class="wikitable" |
|||
! scope="row" |Date |
|||
|Ransomware was first spotted on 10 September 2020<ref name=":0">W Ralston, [https://www.wired.co.uk/article/ransomware-hospital-death-germany “The untold story of a cyberattack, a hospital and a dying woman”], 11 November 2020, ''Wired''.</ref>, but it launched the encryption process most likely a day before, on 9 September (or even earlier).<ref name=":1">P H O’Neill, [https://www.technologyreview.com/2020/09/18/1008582/a-patient-has-died-after-ransomware-hackers-hit-a-german-hospital/ “A patient has died after ransomware hackers hit a German hospital”], 18 September 2020, ''MIT Technology Review''. </ref> <ref name=":2">J Tidy, [https://www.bbc.com/news/technology-54204356 “Police launch homicide inquiry after German hospital hac]k”, 18 September 2020, ''BBC''. </ref> Decryption of data started on 11 September and took nearly two weeks, during which the hospital’s system remained non-functional.<ref name=":0" /> |
|||
|- |
|||
! scope="row" |Suspected actor |
|||
|The attackers remain unknown; however, the German prosecutor indicated the choice of deployed ransomware – Doppelpaymer – links the attack to Russian groups without detailed indication.<ref>AFP, “[https://www.thelocal.de/20200922/german-experts-see-russian-link-in-deadly-hospital-hacking/ German experts see Russian link in deadly hospital cyber attack]”, 22 September 2020, ''The Local DE''.</ref> |
|||
|- |
|||
! scope="row" |Target |
|||
|Ransomware disabled the Düsseldorf University Hospital by compromising its infrastructure. However, the course of the attack showed the hospital might not be its primary target and had been executed by mistake. <ref name=":0" /> The blackmail note within one of the compromised servers was addressed to Heinrich Heine University, requesting the university to contact the perpetrators to discuss the ransom. This university is affiliated with the hospital but is not the hospital itself. <ref name=":1" /> <ref name=":3">DPAT/RTL.de, “[https://www.rtl.de/cms/hacker-angriff-auf-uniklinik-duesseldorf-starb-eine-patientin-wegen-einer-erpressung-4615184.html Tödlicher Hackerangriff auf die Uniklinik Düsseldorf?]“, 17 September 2020, ''RTL News''.</ref>Once the police contacted the attacker to inform them that they were targeting the hospital and not the university, the extortion attempt was withdrawn, and the decryption key was provided immediately. <ref name=":4">M Miliard, “[https://www.healthcareitnews.com/news/hospital-ransomware-attack-leads-fatality-after-causing-delay-care Hospital ransomware attack leads to fatality after causing delay in care]“, 17 September 2020, ''Healthcare IT News''.</ref> |
|||
|- |
|||
! scope="row" |Target systems |
|||
|A vulnerability in a virtual private network (VPN) software by Citrix.<ref name=":0" /> |
|||
|- |
|||
! scope="row" |Method |
|||
|The attackers used a vulnerability in a VPN software known since January 2020 and deployed ransomware called Doppelpaymer. <ref name=":0" /> Firstly, the Düsseldorf hospital was accused of failing to update its systems. <ref name=":1" /> <ref name=":5">M Eddy and N Perlroth, “[https://www.nytimes.com/2020/09/18/world/europe/cyber-attack-germany-ransomeware-death.html Cyber Attack Suspected in German Woman’s Death]”, 18 September 2020, ''The New York Times''.</ref> However, the hospital insisted it had completed the patch of this vulnerability as soon it was released, so the ransomware loader could have been installed before the update, waiting in the systems for months before its execution. <ref name=":0" /> |
|||
|- |
|||
! scope="row" |Purpose |
|||
|Most likely ransom. One compromised server included a note addressed to Heinrich Heine University, requesting the institution to get in touch. The payment amount to obtain the decryption key was not specified.<ref name=":4" /> Once the German police informed the attackers that they were targeting a hospital, the encryption key was provided without further requesting a ransom. After that, the communication was cut, and the perpetrators disappeared. <ref name=":2" />The New York Times reminded that such a development in ransomware attack had not been seen before since hospitals are a frequent target of cyber attacks – especially ransomware – because they are most likely to pay the ransom not to endanger the provided healthcare.<ref name=":5" /> |
|||
|- |
|||
! scope="row" |Result |
|||
|In total, 30 servers had been corrupted. <ref name=":3" />The ransomware compromised infrastructure providing coordination of medical staff, beds, treatment, as well as communication networks like e-mail service. <ref name=":0" />Due to this impact, the hospital was forced to cancel hundreds of operations and scheduled procedures and stopped the admissions of new patients. Redirection of patients in emergency conditions is also why is this ransomware attack known worldwide; on 11 September 2020, a woman suffering from an aortic aneurysm could not be accepted by the Düsseldorf University Hospital and had to be taken into the Helios University Hospital in Wuppertal 32 kilometres away. The patient died shortly after her arrival. <ref name=":0" /> |
|||
The decryption process was carried out by the Federal Office for Information Security, Germany’s cyber security agency. <ref>Reuters, “[https://www.reuters.com/article/us-germany-cyber-idUSKBN26926X Prosecutors open homicide case after cyber-attack on German hospital]“, 18 September 2020, ''The Guardian''. </ref> The hospital could still offer treatment only up to fifty per cent of its usual capacity during it. <ref name=":3" /> |
|||
|- |
|||
! scope="row" |Aftermath |
|||
|Following the death of a woman who had to be taken into the distant hospital because of the attack, the German prosecutor’s office initiated a death investigation pursuing hackers of negligent homicide (killing a person through negligence or without malice). <ref name=":0" /> <ref name=":3" /> Several media speculated whether this could be the first victim of a cyber attack. <ref name=":0" /> <ref name=":2" /> <ref>AP/AFP, “[https://www.dw.com/en/german-police-probe-negligent-homicide-in-hospital-cyberattack/a-54970859 German police probe ‘negligent homicide’ in hospital cyberattack]“, 18 September 2020, ''DW''. </ref><ref name=":6">P H O’Neill, “[https://www.technologyreview.com/2020/11/12/1012015/ransomware-did-not-kill-a-german-hospital-patient/ Ransomware did not kill a German hospital patient]”, 12 November 2020, ''MIT Technology Review''. </ref>Nevertheless, the two-month-long investigation concluded the patient was so ill she “likely would have died anyway“ <ref name=":6" />; hence the ransomware attack is involved but not to blame despite the delay in provided healthcare.<ref name=":0" /> |
|||
The attack once again shows how hospitals are vulnerable to cyber attacks. According to Moody’s Investors Service Report (bond credit ratings), from May 2021, the healthcare sector grew more vulnerable due to non-clinical employees working from home during the COVID-19 pandemic. <ref name=":4" /> The report states that employees in the home office can increase the number of access points into the networks, for example, by more frequent phishing attempts. Similar results can be found in the Ponemon Institute Report from September 2021, whose findings say ransomware attacks during the pandemic impacted the safety of patients, data and care availability. <ref>CENSINET, “[https://www.censinet.com/ponemon-report-covid-impact-ransomware Ponemon Research Report: The Impact of Ransomware on Healthcare During COVID-19 and Beyond]”, September 2021.</ref> |
|||
To fight this on the European Union level, the Commission proposes an update of the Network and Information Security directive <ref>European Parliament, “[https://oeil.secure.europarl.europa.eu/oeil/popups/ficheprocedure.do?reference=2020/0359(COD)&l=en 2020/0359 (COD) A high common level of cybersecurity]”.</ref> that would require industries – including healthcare – to increase their cyber defences. <ref>P Haeck, “[https://www.politico.eu/article/irish-hospital-hack-highlights-eus-weak-spots/ ‘It’s getting worse’: Irish hospital hack exposes EU cyberattack vulnerability]“, 13 March 2021, ''Politico''. </ref> |
|||
|- |
|||
! scope="row" |Analysed in |
|||
|[[Scenario 20: Cyber operations against medical facilities]]; [[Scenario 14: Ransomware campaign]] |
|||
|} |
|||
Collected by: [[People#Research assistants|Michaela Prucková]] |
|||
[[Category:Example]] |
|||
[[Category:2007]] |
|||
[[Category:DDoS]] |
|||
<references /> |
|||
Revision as of 09:15, 30 September 2022
| Date | Ransomware was first spotted on 10 September 2020[1], but it launched the encryption process most likely a day before, on 9 September (or even earlier).[2] [3] Decryption of data started on 11 September and took nearly two weeks, during which the hospital’s system remained non-functional.[1] |
|---|---|
| Suspected actor | The attackers remain unknown; however, the German prosecutor indicated the choice of deployed ransomware – Doppelpaymer – links the attack to Russian groups without detailed indication.[4] |
| Target | Ransomware disabled the Düsseldorf University Hospital by compromising its infrastructure. However, the course of the attack showed the hospital might not be its primary target and had been executed by mistake. [1] The blackmail note within one of the compromised servers was addressed to Heinrich Heine University, requesting the university to contact the perpetrators to discuss the ransom. This university is affiliated with the hospital but is not the hospital itself. [2] [5]Once the police contacted the attacker to inform them that they were targeting the hospital and not the university, the extortion attempt was withdrawn, and the decryption key was provided immediately. [6] |
| Target systems | A vulnerability in a virtual private network (VPN) software by Citrix.[1] |
| Method | The attackers used a vulnerability in a VPN software known since January 2020 and deployed ransomware called Doppelpaymer. [1] Firstly, the Düsseldorf hospital was accused of failing to update its systems. [2] [7] However, the hospital insisted it had completed the patch of this vulnerability as soon it was released, so the ransomware loader could have been installed before the update, waiting in the systems for months before its execution. [1] |
| Purpose | Most likely ransom. One compromised server included a note addressed to Heinrich Heine University, requesting the institution to get in touch. The payment amount to obtain the decryption key was not specified.[6] Once the German police informed the attackers that they were targeting a hospital, the encryption key was provided without further requesting a ransom. After that, the communication was cut, and the perpetrators disappeared. [3]The New York Times reminded that such a development in ransomware attack had not been seen before since hospitals are a frequent target of cyber attacks – especially ransomware – because they are most likely to pay the ransom not to endanger the provided healthcare.[7] |
| Result | In total, 30 servers had been corrupted. [5]The ransomware compromised infrastructure providing coordination of medical staff, beds, treatment, as well as communication networks like e-mail service. [1]Due to this impact, the hospital was forced to cancel hundreds of operations and scheduled procedures and stopped the admissions of new patients. Redirection of patients in emergency conditions is also why is this ransomware attack known worldwide; on 11 September 2020, a woman suffering from an aortic aneurysm could not be accepted by the Düsseldorf University Hospital and had to be taken into the Helios University Hospital in Wuppertal 32 kilometres away. The patient died shortly after her arrival. [1]
The decryption process was carried out by the Federal Office for Information Security, Germany’s cyber security agency. [8] The hospital could still offer treatment only up to fifty per cent of its usual capacity during it. [5] |
| Aftermath | Following the death of a woman who had to be taken into the distant hospital because of the attack, the German prosecutor’s office initiated a death investigation pursuing hackers of negligent homicide (killing a person through negligence or without malice). [1] [5] Several media speculated whether this could be the first victim of a cyber attack. [1] [3] [9][10]Nevertheless, the two-month-long investigation concluded the patient was so ill she “likely would have died anyway“ [10]; hence the ransomware attack is involved but not to blame despite the delay in provided healthcare.[1]
The attack once again shows how hospitals are vulnerable to cyber attacks. According to Moody’s Investors Service Report (bond credit ratings), from May 2021, the healthcare sector grew more vulnerable due to non-clinical employees working from home during the COVID-19 pandemic. [6] The report states that employees in the home office can increase the number of access points into the networks, for example, by more frequent phishing attempts. Similar results can be found in the Ponemon Institute Report from September 2021, whose findings say ransomware attacks during the pandemic impacted the safety of patients, data and care availability. [11] To fight this on the European Union level, the Commission proposes an update of the Network and Information Security directive [12] that would require industries – including healthcare – to increase their cyber defences. [13] |
| Analysed in | Scenario 20: Cyber operations against medical facilities; Scenario 14: Ransomware campaign |
Collected by: Michaela Prucková
- ↑ 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 1.10 W Ralston, “The untold story of a cyberattack, a hospital and a dying woman”, 11 November 2020, Wired.
- ↑ 2.0 2.1 2.2 P H O’Neill, “A patient has died after ransomware hackers hit a German hospital”, 18 September 2020, MIT Technology Review.
- ↑ 3.0 3.1 3.2 J Tidy, “Police launch homicide inquiry after German hospital hack”, 18 September 2020, BBC.
- ↑ AFP, “German experts see Russian link in deadly hospital cyber attack”, 22 September 2020, The Local DE.
- ↑ 5.0 5.1 5.2 5.3 DPAT/RTL.de, “Tödlicher Hackerangriff auf die Uniklinik Düsseldorf?“, 17 September 2020, RTL News.
- ↑ 6.0 6.1 6.2 M Miliard, “Hospital ransomware attack leads to fatality after causing delay in care“, 17 September 2020, Healthcare IT News.
- ↑ 7.0 7.1 M Eddy and N Perlroth, “Cyber Attack Suspected in German Woman’s Death”, 18 September 2020, The New York Times.
- ↑ Reuters, “Prosecutors open homicide case after cyber-attack on German hospital“, 18 September 2020, The Guardian.
- ↑ AP/AFP, “German police probe ‘negligent homicide’ in hospital cyberattack“, 18 September 2020, DW.
- ↑ 10.0 10.1 P H O’Neill, “Ransomware did not kill a German hospital patient”, 12 November 2020, MIT Technology Review.
- ↑ CENSINET, “Ponemon Research Report: The Impact of Ransomware on Healthcare During COVID-19 and Beyond”, September 2021.
- ↑ European Parliament, “2020/0359 (COD) A high common level of cybersecurity”.
- ↑ P Haeck, “‘It’s getting worse’: Irish hospital hack exposes EU cyberattack vulnerability“, 13 March 2021, Politico.