Ransomware attack in German hospital ends deadly for a women – blame Shitrix vulnerability

[German]The cyber attack on the University Hospital Düsseldorf (UKD) last week turns out to be a ransomware attack, as I suspected. The clinic was probably a random victim, but now the public prosecutor's office is investigating, since a patient died because of the attack on the clinic. And there is a first information about the vulnerability – probably the Shitrix vulnerability known from December 2019 in a Citrix VPN endpoint.


The cyber attack on the UKD

I have only blogged in German within my other blog last week about the cyber attack (see Düsseldorfer Uniklinik: IT-Ausfall durch Cyberangriff?). At that time, the hospital (Universitätsklinikum Düsseldorf, UKD) wrote in a statement, that the computer systems has been shut down due to a 'hacking attack'. The UKD had signed off from emergency care and is still doing so today. Plannable and outpatient treatments also did not take place and were postponed.

In a press release on September 17, the University Hospital still only confirmed a cyber attack that took place via a 'security hole in common software' and allowed access to the IT network. In a statement it says

According to these analyses, the background to the failure is a hacker attack that exploited a vulnerability in an application. The vulnerability was found in a commercial add-on software that was customary in the market and distributed worldwide. Until the software company finally closed this gap, there was a sufficient time window to penetrate the systems. As a consequence of the sabotage act made possible by this, systems gradually failed and access to stored data was no longer possible.

But that's bullshit bingo at it's best. I suspected an infection with ransomware early on due to the boundary conditions. In a statement for the press this was confirmed implicitly:

The IT experts were now able to analyze the exact scope and restore access to the data. So far there is no evidence that data has been irretrievably destroyed. There is also no evidence at this stage that specific data has been retrieved. There has not been a concrete ransom demand.

More insights were provided by government and by my sources. Here are a few background information.

Ransomware infection confirmed

In the state parliament of North Rhine-Westphalia the 'cyber attack' on the UKD on Thursday was discussed recently. Minister of Science Isabel Pfeiffer-Poensgen (independent) confirmed that the IT failure at the University Hospital of Düsseldorf was due to a hacker attack. This is reported by WDR in this article. Blog readers already referred to corresponding press reports (Express, FAZ) in the comments here.


However, the University Hospital Düsseldorf was probably only a 'chance victim', because a blackmail letter addressed to the Heinrich Heine University was found on one of the affected servers. Pfeiffer-Poensgen told the state parliament that the police had contacted the ransome gang and explained that the servers concerned were systems of an emergency hospital. The cyber criminals then handed over the key to decrypt the servers. This suggests that the men behind the ransomware attack wanted to hit the university instead of the hospital, the minister said.

Blame the Shitrix vulnerability

In this comment a German reader mentioned the Citrix vulnerability (known as Shitrix since December 2019, see also Ransomware: Are Potsdam and Gedia Shitrix victims?). And in this context some patched Citrix ADC Netscaler devices were left with a backdoor implemented by a previous infection. German site heise had an article Shitrix-Nachwehen: Citrix-Systeme mit unbemerkten Backdoors about that risk. Now several of my sources told me, that a vulnerable Citrix VPN server was attacked via the vulnerability CVE-2019-19781. Also heise hat a German article Cyber-Angriff auf Uniklinik Düsseldorf: #Shitrix schlug zu reporting the same.

Addendum: German Cyber Security agency BSI has released a press note poing out, that eh vulnerability (CVE-2019-19781) in Citrix VPN products is known since Dec. 2019 and is used in cyber attacks.

Prosecutor initiates death investigation proceedings

It has been reported, based on statements by the NRW Justice Ministry report, that the public prosecutor's office in Wuppertal has initiated death investigation proceedings against persons unknown. The background: a life-threatening patient (rupture of the aorta) who was to be brought to the university hospital on the night of September 11-12 had to be referred to a hospital in Wuppertal. Since the treatment could only take place with a one-hour delay, the 78 year old woman died a short time later. In such cases, the responsible public prosecutor always initiates an investigation. But whether this leads to a result is another matter.

Addenum: The colleagues from Bleeping Computer has covered that story now here in English, and revealed some more details.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *