First Ransomware-Related Death Reported in Germany After Attack Paralyzes Hospital

It sounds like something out of a tragic Black Mirror episode: A woman seeking urgent care died this week after an apparently bungled ransomware attack took down a major hospital in Germany, thus forcing paramedics to rush her to another city for treatment, according to several outlets.

It appears to be the first case of someone dying as a result of a ransomware attack, albeit indirectly, and German authorities are investigating the unknown hackers on suspicion of negligent manslaughter, the Associated Press reports

Beginning Thursday night, the attack disrupted the IT systems at Duesseldorf University Clinic, crippling its ability to access data and forcing it to postpone all scheduled operations and direct emergency patients elsewhere. The event under investigation happened on Friday, when a woman in a life-threatening condition was rushed to a hospital roughly 20 miles away, delaying her treatment by about an hour, which resulted in her death.

Weirdly though, the hospital said on Twitter that “there was no concrete ransom demand” and no data appears to have been stolen, indicating that it may have just been an unlucky victim caught in a misdirected attack. An extortion note left on one of the 30 servers crippled in the hack further supports that theory: It’s addressed to the Heinrich Heine University, an affiliate of the clinic, according to a report from North Rhine-Westphalia state’s justice minister per AP. The note tells the university to get in touch, but doesn’t list any demands, which only brings up more questions.

Local police were eventually able to get in contact with the perpetrators and let them know that they not only missed their intended mark, but they’d also endangered the hospital’s patients in the process. The attackers reportedly dropped the extortion attempt immediately and provided a decryption key to unlock all hacked servers. Authorities have since lost contact with them, according to the justice minister’s report.

The hospital said investigators have traced the problem to a hacker exploiting a vulnerability in “widely used commercial add-on software,” which it did not name. However, as Wired points out, evidence suggests that it’s likely the Citrix application delivery controller, a tool from the software company Citrix Systems that’s used to optimize traffic without sacrificing data security. In a subsequent tweet, hospital officials said they had alerted German authorities of the attack, including the German cybersecurity agency BSI, which is responsible for sending out cybersecurity warnings. The day before the attack, the BSI tweeted a warning to German companies urging them to update their Citrix network gateways because ransomware gangs were exploiting a critical vulnerability known as CVE-2019-19781.

That same vulnerability also made headlines on Wednesday after the Cybersecurity and Infrastructure Security Agency, a division of the U.S. Department of Homeland Security, published a security advisory warning that CVE-2019-19781 was one of several backdoors used by Beijing-backed hackers to target game and software makers.

While this week’s incident appears to have been a tragic and fatal mix-up, ransomware attacks have grown steadily more frequent across the globe in recent months. Dozens of the biggest names in the entertainment history were hit in May, with other ransomware victims including the watch-maker Garmin, the foreign exchange company Travelex, and the network powering the Texas court system, just to name a few. Hackers reportedly raked in millions of dollars from these attacks, which explains why more and more bad actors are risking jail time to get a juicy cut.