eugenesergeev - Fotolia

Potential ransomware-related death still under investigation

German authorities say they are still investigating the death of a patient in connection with a ransomware attack on Düsseldorf University Hospital in Germany last month.

A ransomware attack against the Düsseldorf University Hospital in Germany may have resulted in the first ransomware-related death, but German authorities said they are still investigating the incident.

An unnamed 78-year-old woman was en route to the hospital when its IT systems failed as a result of an "apparently misdirected" ransomware attack last month, according to German authorities referenced in an AP News article published Sept. 17.

Because of the attack, she had to be taken to neighboring city Wuppertal and later died, and as Cologne, Germany's senior public prosecutor Ulrich Bremer told SearchSecurity in an email, "she may have died due to the delayed emergency care."

Ulrich's full investigation update to SearchSecurity is as follows (translated from German via Google Translate):

"A 78-year-old patient could not be transported to the intended university clinic in Düsseldorf due to the hacker attack but was driven to the neighboring Wuppertal. She may have died due to the delayed emergency care. Now the public prosecutor's office in Cologne is investigating because of negligent homicide. As for the hacker attack itself: After the police had informed the hackers, who allegedly came from Russian-speaking countries, about the wrong sender, the perpetrators sent a digital key to unlock the server."

UPDATE 11/13: Dr. Christoph Hebbecker of the Cologne Public Prosecutor's Office confirmed the negligent homicide investigation is now closed. "I can confirm that a causal link between the hacking attack and the death could not be established," Hebbecker said in an email to SearchSecurity. "The investigation into the hacking attack itself is ongoing and has not yet been completed. The investigation is still not directed against any specific person. It is expected that the investigation will continue for several months."

German authorities delivered a report to lawmakers last month attributing the attack to the DoppelPaymer ransomware gang. Earlier this year, DoppelPaymer was one of several ransomware gangs that publicly pledged not to attack hospitals or medical facilities during the COVID-19 pandemic.

The hospital initially suffered IT failures on Sept. 10 and announced in a press release that day that patient care would only be available on a limited basis. It took until Sept. 23 for the hospital to begin accepting emergency patients again, though it didn't appear to be back at full capacity.

According to the AP, the patient wasn't able to be treated for an hour because she was redirected and died the night of Sept. 11.

The attack sparked outrage in the technology and infosec communities. Following the reports of the patient's death, Emsisoft published a blog post saying the incident "appears to have been" the first ransomware-related death. The antimalware vendor also called on governments to ban ransom payments in order to reduce the profitability of ransomware attacks.

CrowdStrike senior vice president of intelligence Adam Meyers called this attack the fruition of major concerns over ransomware attacks against hospitals.

"The big concern that people rightly have around ransomware attacks against hospitals is that it could have negative outcomes for patients, and this Düsseldorf case is the first one where that's kind of been documented where a patient was inbound, they shut down because I think they couldn't really effectively do intake given the ransomware, and the patient was redirected to a hospital that was farther away and expired as a result of it," Meyers said.

Cybereason CISO Israel Barak told SearchSecurity that the lines between impact in the "cyber world" and the real world are starting to blur.

"I think it's a tragic situation where we see that those boundaries between the cyber world and the real world where lives are at stake are becoming very blurry. And we can see in some verticals and industries that an incident can move very quickly from something that only exists in cyberspace and cyber-risk into impacting people's lives, and become something that is very, very apparent and tragic in our physical, kinetic world," he said.

Dig Deeper on Threats and vulnerabilities