German authorities last week disclosed that a ransomware attack on the University Hospital of Düsseldorf (UKD) caused a failure of IT systems, resulting in the death of a woman who had to be sent to another hospital that was 20 miles away.
The incident marks the first recorded casualty as a consequence of cyberattacks on critical healthcare facilities, which has ramped up in recent months.
The attack, which exploited a Citrix ADC CVE-2019-19781 vulnerability to cripple the hospital systems on September 10, is said to have been “misdirected” in that it was originally intended for Heinrich Heine University, according to an extortion note left by the perpetrators.
After law enforcement contacted the threat actors and informed them that they had encrypted a hospital, the operators behind the attack withdrew the ransom demand and provided the decryption key.
The case is currently being treated as a homicide, BBC News reported over the weekend.
Unpatched Vulnerabilities Become Gateway to Ransomware Attacks
Although several ransomware gangs said early on in the pandemic that they would not deliberately target hospitals or medical facilities, the recurring attacks prompted the Interpol to issue a warning cautioning hospitals against ransomware attacks designed to lock them out of their critical systems in an attempt to extort payments.
Weak credentials and VPN vulnerabilities have proven to be a blessing in disguise for threat actors to break into the internal networks of businesses and organizations, leading cybersecurity agencies in the U.S. and U.K. to publish multipleadvisories about active exploitation of the flaws.
“The [Federal Office for Information Security] is becoming increasingly aware of incidents in which Citrix systems were compromised before the security updates that were made available in January 2020 were installed,” the German cybersecurity agency said in an alert last week.
“This means that attackers still have access to the system and the networks behind it even after the security gap has been closed. This possibility is currently increasingly being used to carry out attacks on affected organizations.”
The development also coincides with a fresh advisory from the U.K. National Cyber Security Centre (NCSC), which said it’s observed an uptick in ransomware incidents targeting educational institutions at least since August 2020, while urging schools and universities to implement a “defence in depth” strategy to defend against such malware attacks.
Citing Remote Desktop Protocol (RDP), vulnerable software or hardware, and email phishing as the three most common infection vectors, the agency recommended organizations to maintain up-to-date offline backups, adopt endpoint malware protection, secure RDP services using multi-factor authentication, and have an effective patch management strategy in place.
A Spike in Ransomware Infections
If anything, the ransomware crisis seems to be only getting worse. Historical data gathered by Temple University’s CARE cybersecurity lab has shown that there have been a total of 687 publicly disclosed cases in the U.S. since 2013, with 2019 and 2020 alone accounting for more than half of all reported incidents (440).
Government facilities, educational institutions, and healthcare organizations are the most frequently hit sectors, as per the analysis.
And if 2020 is any indication, attacks against colleges and universities are showing no signs of slowing down.
Allan Liska, a threat intelligence analyst at Recorded Future, revealed there had been at least 80 publicly reported ransomware infections targeting the education sector to date this year, a massive jump from 43 ransomware attacks for the whole of 2019.
“Part of this change can be attributed to extortion sites, which force more victims to announce attacks,” Liska said in a tweet. “But, in general, ransomware actors have more interest in going after colleges and universities, and they are often easy targets.”
You can read more about NCSC’s mitigation measures here. For more guidance on proofing businesses against ransomware attacks, head to US Cybersecurity Security and Infrastructure Security Agency’s response guide here.