How Ransomware Killed a Patient
Ransomware, a form of malware to extort money, is one of the biggest cybersecurity threats to healthcare due to the sensitivity and high value of the information.
In the summer of 2020, a ransomware attack on a German hospital affiliated with a university caused a patient death. A vulnerability to Citrix’s cloud-based application delivery tool and remote access product were exploited by cybercriminals to lock the servers. It stopped admission to the ER.
It did not start one day in September
Cyberattack doesn’t happen overnight but over months of recon and research. The attack used a vulnerability in a commonly used commercial product, Citrix VPNs (CVE-2019-19781). In December 2019, white hat hackers and Citrix discovered the compromise. The flaw was in a Citrix cloud-based application delivery tool and remote access product to its applications. The successful exploitation allowed hackers to tunnel into the many enterprise networks that use the software, such as a hospital system.
During the first Citrix advisory, they assured that its supported stop-gap security measure would address the problem. As cybercriminals exploited the vulnerability, the advisory changed to say that “in certain scenarios, the company’s mitigation techniques would not work.” Citrix recommended customers switch to a different software compilation to avoid the issue.
The Open Gap makes it Easy for Hackers
This gap meant that intruders still have access to the system. Even after the security gap had been closed, there is an increased likelihood that future attacks are planned on affected organizations. FireEye, a cybersecurity company, shared that in their investigation that an unknown hacker was exploiting the vulnerability, cleaning up other malware on that network, and planting their code for future backdoor access. Per FireEye, the attacker’s code scans for files eight times per second to match other attempts to exploit the vulnerability then blocks them.
How The Ransomware Attack Happened
In August 2019, DoppelPaymer used “virus-themed email subject lines” as a new lure to inflect systems. Ransomware could spread by email, springing into action if the victim clicks on a booby-trapped link dropped to computers by the Dridex trojan.
It is believed the ransomware gang from a Russian-speaking country, “DoppelPaymer “related to “Evil Corp,” is suspected. The U.S. Justice Department in December 2019 indicted the two alleged leaders of “Evil Corp,” Maksim Yakubets and Igor Turashev. Outlined in the indictment, Yakubets was suspected of deploying cybercrime campaigns on behalf of the Russian state’s Federal Security Service.
They joined other cybercriminals in light of the COVID-19 pandemic not to attack hospitals or medical facilities during the pandemic in 2020. The hackers withdrew their ransom demand and provided a decryption key when police informed them a hospital was affected. The hospital was not the intended target, but it had already caused fatal damage.
How Ransomware Caused the Death
According to the BSI, a ransomware attack on a Düsseldorf hospital affiliated with Heinrich Heine University caused a patient death. It was a ‘misdirected’ attack against the hospital. The original target was the university, but instead, the malware encrypted 30 servers at the hospital resulting in emergency services diverted to other regional hospitals. During that time, a death occurred in a patient while en route to another facility.
In Düsseldorf, the cybercriminals addressed the ransom note to Heinrich Heine University, not the affiliated hospital. The hospital was not the intended target. The hackers withdrew their ransom demand and provided a decryption key when police informed them a hospital was affected. Unfortunately, it was too late — someone lost their life.
Ransomware attacks against hospitals have adverse outcomes for patients, and this Düsseldorf case highlighted the new reality in cybercrime with a patient death linked to the attack.
It is an issue requiring an unplanned restore of massive amounts of data from products designed for yesterday’s problems. Due to weak cybersecurity practices and legacy systems usage, healthcare networks and devices are at significant risk. Before a security patch runs in healthcare, a check happens to ensure it will not interfere with its ability to connect to those other, older machines before installing it.
The incident highlights starkly the risk facing healthcare organizations with vulnerable software. Outdated code may cost the organization data. For healthcare, patient safety is now on the line.
- A ransomware attack on a German hospital affiliated with a university caused a patient death due to servers locked, stopping admission to the ER.
- Citrix’s cloud-based application delivery tool and remote access product to a company’s applications were flawed, allowing access to the network.
- Deep DoppelPaymer is a strain of another type of ransomware called BitPaymer used to attack the Citrix systems.
- Ransomware victims’ average payment is $84,116, with an American university paying over $1 million.
- There is a knowledge gap at all levels of the organization.
- Patches are essential and are installed quickly.