Doppelpaymer ransomware crew fingered for attack on German hospital that caused death of a patient
Same mob promised not to target healthcare facilities
The Doppelpaymer ransomware gang were behind the cyber-attack on a German hospital that led to one patient's death, according to local sources.
The Aachener Zeitung newspaper carried a report from the German Press Association (DPA) that Doppelpaymer's eponymous ransomware had been introduced to the University Hospital Düsseldorf's network through a vulnerable Citrix product.
That ransomware infection, activated last week, is said by local prosecutors to have led to the death of one patient who the hospital was unable to treat on arrival. She died in an ambulance while being transported to another medical facility with functioning systems.
Worryingly, the ransomware's loader had been lurking on the hospital's network since December 2019, according to a detailed report handed to the provincial government of North Rhine-Westphalia and seen by the DPA. December 2019 was when a patch was issued by Citrix for CVE-2019-19781 – the same vuln exploited to hit the hospital, according to German tech news site Heise.
You can see the Federal Office for Information Security's (BSI) report (in German), which specifically links the attack on Düsseldorf University Hospital to CVE-2019-19781, here. The federal infosec team was involved in restoring the hospital’s IT systems.
"(BSI) announced last week that the corresponding security gap in Citrix software had been known since the turn of the year. This was a loophole in the Citrix VPN software known as 'Shitrix' (CVE-2019-19781)," reported Heise, suggesting that once the loader had been planted on the network, the ransomware gang then opened a backdoor through a non-Citrix route before deploying the actual malware months later.
Readers who have Citrix in the cupboard are strongly recommended to check if they have an afflicted version of Citrix's Application Delivery Controller, Citrix Gateway, or Citrix SD-WAN WANOP appliance here – and to patch as soon as possible.
Doppelpaymer's operators had apparently thought they were targeting the University of Düsseldorf and not the hospital. They were said to have provided the decryption key for the ransomware upon learning that they had hit a hospital – too late, however, to save the unfortunate patient. Prosecutors in Cologne are now reportedly building a case for negligent homicide.
"The nature of the relationship between DoppelPaymer and Evil Corp is not clear, but some cooperation has been observed," said Brett Callow, a threat analyst at Emsisoft. He added: "A few ransomware groups claim to avoid – or, at least, attempt to avoid – hitting hospitals and say they will provide a decryptor at no cost should their aim ever be off. Unfortunately, however, even with that decryptor, recovering systems is not a speedy process and a hospital may not be able to fully return to normal operations for quite some time – and that's the time during which people could die."
An Emsisoft blog post on the subject calls for ransomware payments to be banned.
The Doppelpaymer gang has previously targeted defence and aerospace companies' supply chains. They are said to have links to Russia, though appear to be a private operation holding vital data to ransom in search of a profit, rather than a state-backed nasty. ®