Patient dies after ransomware attack reroutes her to remote hospital

Photograph of the backdoor of an ambulance.

A woman seeking emergency treatment for a life-threatening condition died after a ransomware attack crippled a nearby hospital in Duesseldorf, Germany, and forced her to obtain services from a more distant facility, it was widely reported on Thursday.

German authorities are investigating the unknown perpetrators on suspicion of negligent manslaughter, the Associated Press, German news outlet NTV, and others reported on Thursday. The event under investigation occurred last Friday when the unidentified woman was turned away from Duesseldorf University Hospital because a ransomware attack hampered its ability to operate normally. The woman was rushed to a hospital about 20 miles away, resulting in about a one-hour delay in treatment. She died.

So far, little is known publicly about the ransomware strain or the attackers involved in the infection, which began last Thursday, about 24 hours before the death occurred. A report from the North Rhine-Westphalia state justice minister said that the attack encrypted about 30 hospital servers and left a message instructing the Heinrich Heine University, to which the Duesseldorf hospital is affiliated, to contact the attackers.

Duesseldorf police eventually communicated with the attackers and told them that the attack had hit a hospital treating emergency patients, not the university. The attackers reportedly withdrew the extortion demand and provided a decryption key to unlock the servers. The justice minister report said that the attackers are no longer reachable.

Hospital officials said on Twitter that the infection occurred after attackers exploited a vulnerability in a “widely used commercial add-on software,” which the tweet didn’t identify. As noted by ZD Net, the officials also said they had notified German authorities of the attack. Hours earlier, the German agency responsible for issuing cybersecurity warnings, the BSI, tweeted a link to this advisory from January. The advisory warned that attackers were actively exploiting CVE-2019-19781, a critical vulnerability in the Citrix application delivery controller, which customers use to perform load balancing of inbound application traffic.

Citrix didn’t immediately respond to an email asking if the vulnerability was the initial entryway into the Duesseldorf hospital. CVE-2019-19781 was in the news on Wednesday when federal prosecutors said it was one of several vulnerabilities allegedly used by hackers backed by the Chinese government to breach game and software makers.

Last week’s infection isn’t the first time hospitals have been paralyzed by ransomware. Last year, 10 hospitals—three in Alabama and seven in Australia—were hit by attacks that also hampered their ability to accept new patients. A few days later, the three Alabama hospitals reportedly paid the ransom so they could obtain the decryption key needed to restore their systems.

https://arstechnica.com/?p=1707440