The University Hospital Düsseldorf (UKD) in Germany was hit with a ransomware attack when the threat actors compromised their network by exploiting a vulnerability in a commercial add-on software which is common in the market and used worldwide.
According to Germany’s cybersecurity agency Bundesamt für Sicherheit in der Informationstechnik (BSI), the attackers exploited the Citrix ADC CVE-2019-19781 vulnerability that has been known since January 2020 in VPN products.
Patches for the Citrix ADC vulnerability were available since January 2020.
When their IT systems were disrupted, the hospital announced that planned and outpatient treatments and emergency care could not occur at the hospital and those who require emergency care were instead redirected to more distant hospitals for treatment.
The ransom notes found on the hospital’s encrypted servers were incorrectly addressed to Heinrich Heine University, rather than the hospital itself.
According to German media, the Düsseldorf police contacted and informed the threat actors that a hospital was affected by their hacking attack instead of the university. This had put patients at risk. The ransomware operators then withdrew the extortion and provided a digital key for decrypting the data.
After receiving the key, the hospital was restoring systems, and upon investigation it was found that no data were stolen.
However, a patient in a life-threatening condition was redirected to a more distant hospital in Wuppertal after University Hospital Düsseldorf deregistered its emergency services.
This had caused delay in getting care for the patient which may have led to her death. Due to the patient’s death, German prosecutors are investigating if this attack should be considered negligent manslaughter.
Ransomware operators like CLOP, DoppelPaymer, Maze, and Nefilim stated that they would not target hospitals or nursing homes and in case any was encrypted by mistake, they would provide a free decryption key.
But still we find attackers targeting hospitals without any concern for the health of their victim’s patients.