Cybercriminals normally launch ransomware attacks on organisations to disrupt their business and get them to pay the ransom. While most cybercriminals target large enterprises and universities, it is very unlikely for some groups to target hospitals. Those that do are often looking to get their hands on clinical or medical data as seen in the increased COVID-19 vaccinations hack.
Unfortunately, that wasn’t the case for a woman in Germany who died during a ransomware attack on the Duesseldorf University Hospital. The hospital which suffered a ransomware attack couldn’t accept any emergency patients, forcing the woman to be sent to another healthcare facility some 20 miles away. Her death may be the first death to be directly linked to a cyber attack on a hospital.
Surprisingly, the ransom notes left on the hospital's encrypted servers were incorrectly addressed to Heinrich Heine University, rather than the hospital itself. According to media reports, the police contacted the ransomware operators via the ransom note instructions and explained that their target was a hospital. The ransomware operators then withdrew the ransom demand and provided a decryption key upon discovering the mistake they made.
German cybersecurity agency Bundesamt für Sicherheit in der Informationstechnik (BSI) reported the attackers exploited the Citrix ADC CVE-2019-19781 vulnerability. The report stated that BSI had reported the vulnerability since December 2019 in VPN products from Citrix as they were a known target for cyber attacks to exploit.
The BSI is becoming increasingly aware of incidents in which Citrix systems were compromised before the security updates that were made available in January 2020 were installed. This means that attackers still have access to the system and the networks behind it even after the security gap has been closed. This possibility is currently being increasingly used to carry out attacks on affected organisations.
Tony Jarvis, Chief Technology Officer, APAC, Check Point Software Technologies said that this issue had always been a concern.
“Unfortunately, we have no idea how many other deaths have been indirectly linked to such attacks. We've seen power grids go dark, heating and air conditioning tampered with and critical infrastructure impacted. We've seen attacks affecting anything and everything connected to the Internet, from IoT devices to modern cars. What will it take to turn this around”?
Tony added that the solution to this problem is going to need buy-in from industry, governments, regulators and more. But above all else, he added getting on top of this relies on everyone recognising the risks and doing what they can to mitigate them. That means asking questions, getting answers and understanding how this applies to them and their organisation.