A woman seeking emergency treatment for a life-threatening illness died after a ransomware attack crippled a nearby hospital in Düsseldorf and forced her to use services from a facility further away.
The German authorities are investigating the unknown perpetrators on suspicion of negligent manslaughter. Associated Press, German news agency NTV and others reported on Thursday. The investigated event occurred last Friday when the unidentified woman was turned away from the Düsseldorf University Hospital because a ransomware attack impaired her normal functionality. The woman was taken to a hospital about 20 miles away, delaying treatment for about an hour. She died.
So far, little is publicly known about the ransomware strain or the attackers involved in the infection, which began about 24 hours before death last Thursday. A report by the North Rhine-Westphalian Minister of Justice said that the attack encrypted around 30 hospital servers and left a message instructing Heinrich Heine University, to which the Düsseldorf hospital is affiliated, to contact the attackers.
The Düsseldorf police finally communicated with the attackers, informing them that the attack had hit a hospital that treated emergency patients, not the university. The attackers reportedly withdrew the extortion request and provided a decryption key to unlock the servers. According to the Justice Minister's report, the attackers can no longer be reached.
Hospital officials said on Twitter that the infection emerged after attackers exploited a vulnerability in "widely used commercial add-on software" that the tweet failed to identify. As ZD Net found, the officials also said they had informed the German authorities about the attack. Hours beforehand, the German authority responsible for issuing cybersecurity warnings, the BSI, tweeted a link to this notice from January. The notice warned that attackers were actively exploiting CVE-2019-19781, a critical vulnerability in the Citrix Application Delivery Controller that customers use to load balance inbound application traffic.
Citrix did not immediately respond to an email asking if the vulnerability was the first entry into the Düsseldorf hospital. CVE-2019-19781 was on the news Wednesday when federal prosecutors said it was one of several vulnerabilities allegedly being exploited by hackers supported by the Chinese government to breach games and software manufacturers.
Last week's infection isn't the first time ransomware has paralyzed hospitals. Last year, 10 hospitals – three in Alabama and seven in Australia – were affected by attacks that also affected their ability to admit new patients. A few days later, the three Alabama hospitals paid the ransom so that they could receive the decryption key needed to restore their systems.