Fatal Hospital Hack Linked to Russia

cyber-attack that caused a German hospital to refuse treatment to a woman who subsequently died has been linked to a Russian ransomware gang. 

Attackers struck Düsseldorf University Clinic (DUC) on the night of Thursday, September 10, gaining access by exploiting a vulnerability in some commercially available Citrix software.

The hospital's IT systems crashed as a result, and patients seeking urgent care were diverted to another hospital 20 miles away in Wuppertal. A woman who had to seek urgent care elsewhere because the digitally besieged DUC was unable to treat her later died.

A spokesman for the responsible public prosecutor's office at the Cybercrime Central and Contact Point (ZAC) said the investigation into the suspected negligent homicide of a patient is ongoing. 

According to a report published today in German newspaper Aachener Zeitung, the cyber-attack on the DUC was carried out using crypto-locking DoppelPaymer malware. 

First observed in April 2019, DoppelPaymer is a form of ransomware that is believed to have originated from Russia.

"DoppelPaymer is a fork of BitPaymer, and BitPaymer was attributed to Evil Corp, which has been sanctioned by the US and has ties to the Russian Government," said Emsisoft's Brett Callow. "The nature of the relationship between DoppelPaymer and Evil Corp is not clear, but some cooperation has been observed." 

DoppelPaymer uses virus-themed email subject lines to attract victims. Like ransomware thugs MAZE, its operators extort money from victims by encrypting and exfiltrating their data and threatening to sell and/or publish sensitive information on the darknet.

News that DoppelPaymer was deployed in this tragic attack was included in a report to the German state parliament's legal committee and announced earlier today by the Ministry of North Rhine-Westphalia. 

An investigation into the cyber-incident by German authorities found that hackers smuggled a "loader" into the server at the DUC, possibly months before the next phase of the attack was carried out.

On the night of September 10, the criminals caused encryption software to be downloaded, infecting 30 servers at the DUC. 

The hospital's IT systems remain disrupted in the wake of the attack, threatening the safety of other people seeking urgent treatment. Emergency room services are expected to be restored this week. 

What’s Hot on Infosecurity Magazine?