29 Feb 2016

Crypto ransomware hits German hospitals



At least three hospitals in the German state of North Rhine-Westphalia have been hit with crypto ransomware.

One is Lukas Krankenhaus (Lukas Hospital) in Neuss, the second one is Klinikum Arnsberg, an academic teaching hospital that’s part of the Westphalian Wilhelms-University in Münster, and the third one is still unnamed.



According to DW, it’s still unclear if they have been hit with the same ransomware, but they didn’t get any targeted ransom demand apart from the usual one shown by the malware, and the authorities believe that the attacks were not targeted at all.

In Klinikum Arnsberg’s case, the ransomware (or, more likely, a downloader that later dropped the ransomware) arrived as an attachment in an email. A careless click by one of the staff let the malware loose on the network.

According to Richard Bornkeßel, the clinic’s spokesman, it managed to compromise only one of the 200 servers, which was immediately shut down, as was the entire system. Luckily, they has a backup of the files on each server. The attack apparently didn’t affect the day-to-day activities in the hospital, as all the important medical devices can work without network access.

Lukas Hospital was not so lucky.

While they pulled the plug on the entire network and all systems – computers and servers – almost immediately after noticing error messages popping up all over the place. The messages were shown because the various medical systems wanted to access system data and files, and couldn’t because they had been encrypted.

“We haven’t received a concrete demand for money, but we’ve seen these pop up windows that appear if you don’t stop the ransomware on a computer,” the hospital’s spokesman Dr. Andreas Kremer said, and noted that they have been advised by the authorities not to contact the people behind the ransomware via the offered anonymous email address.

The hospital’s IT security staff has been cleaning the affected servers and devices, and restoring data from backups, which the hospital laudably performs regularly. The rest of the data that has been lost will be entered manually again, and so will the notes that the staff has been forced to take on paper while the network was down.

As in a similar incident that hit the Hollywood Presbyterian Medical Center around the same time (two-three weeks ago), the hospital staff has to use pen and paper and fax machines to write down and share patient information between the various departments.

The attack affected patients that were scheduled for high-risk surgeries, as they were rescheduled for later dates just in case. But according to the spokesman, it will take a few months for everything to go back to normal. The clinic’s email server is still offline, and patients are advised to contact the hospital via phone or fax.

As a side note, a few days ago reports began circulating that a New Zealand hospital has also been hit with the Locky, a new crypto ransomware family that can also find and encrypt files on unmapped network drives.