Ransomware Strikes a Group of German Hospitals

Ransomware Strikes a Group of German Hospitals

A group of German hospitals have become the latest victims of a ransomware attack—a state of affairs that has knocked them offline and reduced doctors to swapping handwritten notes instead of emails.

The first victim was Lukas Hospital in Germany's western city of Neuss—staffers began to be plagued by pop-up windows, and then noticed the systems getting slower and slower. Eventually, they proactively shut down their systems entirely, concerned about the safety of patient data.

"We then pulled the plug on everything," spokesperson Dr. Andreas Kremer told DW. "Computers, servers, even the email server, and we went offline."

It was soon clear that it was a ransomware attack, he added: “Our IT department quickly realized that we caught malware that encrypts data. So if the X-ray system wants to access system data, it failed to find it because it's been encrypted, so it displays an error message.”

Just two days after the Lukas Hospital was hacked, Klinikum Arnsberg Hospital in the German state of North Rhine-Westphalia fell victim. The vector was a social engineering ploy that sent a malicious attachment in an email.

Klinikum Arnsberg spokesperson Richard Bornkeßel said that staffers detected the virus on one of the 200 servers.

"Fortunately, it was only one server that was affected,” he said. “The virus had started to encrypt files,” so the IT department switched off the entire system to avoid further infection.

And, at least one other hospital in the same state also shut down its systems to avoid a potential hack.

In Klinikum Arnsberg’s case, it was able to restore its files from a backup fairly easily since it had only the one server to deal with. Lukas Hospital was not so lucky. Under the advice of the State Criminal Investigation Office (LKA), the hospital's security experts have developed a special software to cleanse the infected system and scan the more than 100 servers and some 900 devices connected to it—a task that will take the department until early summer to complete.

Pen and paper have for now supplanted email, and fax machines are being used to exchange patients' reports and X-rays. But there are other ramifications.

"High-risk surgeries were pushed to later dates due to safety reasons, but 80-85% of all operations took place as planned," Kremer said.

Ransom demands for large organizations can reach into the tens of thousands of dollars, making this a key issue for businesses. It’s also not enough to be prepared for the existing set of threats.

“Malware authors regularly change their tactics to try and stay one step ahead of their target victims,” said Carl Leonard, principal security analyst at Forcepoint, in an email. “New strains of encrypting ransomware are now showing up every week, so businesses have to remain vigilant and ensure they supplement strong security defenses with security best practices. It is vital to back up and archive critical data, only open email attachments from trusted or verified senders and disable Microsoft Office macros by default, only to be enabled when absolutely necessary.”

Photo © Aleksandar Mijatovic

Source: Information Security Magazine