German authorities revealed on Thursday that they had made contact with anonymous hackers who carried out a botched ransomware cyberattack that had unintentionally crippled the IT systems of the Dusseldorf University Clinic since the week prior, the Associated Press reported.
A total of 30 servers were encrypted the previous week, according to a recent report issued by the justice ministry of the state of North Rhine-Westphalia.
Though an extortion note was uncovered on one of the encrypted servers, it was actually addressed to Heinrich Heine University, a school affiliated with, but separate from, the hospital.
“There was no concrete ransom demand,” the hospital expressed.
The cyberattack exploited vulnerabilities present in “widely used commercial add-on software,” the Dusseldorf University Clinic said, citing investigators. Hospital personnel found themselves unable to access necessary data following the hack, forcing them to halt operations at the clinic and redirect emergency patients to a Wuppertal medical facility, some 34 kilometers (21 miles) away.
An unidentified woman needing urgent treatment arrived at Dusseldorf University Clinic on September 11. German prosecutors claim that doctors in Wuppertal were unable to see her for an hour, including the roughly 30-minute drive to the second facility. She died before receiving life-saving treatment.
German broadcaster RTL detailed that authorities were able to get in contact with the hackers and informed them of the ransomware attack’s impact on the hospital. The cybercriminals then provided Dusseldorf police with a digital key to decrypt the servers.
It’s worth noting that the decryption and retrieval of data were not instantaneous, and remained ongoing at the time of AP’s Thursday report.
Prosecutors have launched a negligent manslaughter investigation into the hackers. However, authorities have been unable to reestablish contact with the group following the digital key delivery.
Independent cybersecurity and privacy researcher Lukasz Olejnik, co-author of the International Committee of the Red Cross’ 2019 report entitled “The Potential Human Cost of Cyber Operations,” warned in May 2019 that hospitals’ increased reliance on digital systems for everyday operations concurrently raises the “risk of [the hospital] falling apart following cyberattack.” He also called attention to the possible “weaponization of vulnerabilities” and emphasized the need to “refrain from implanting vulnerabilities via the creation of backdoors.”
It remains unclear what particular vulnerability was exploited at the hospital.
“Potential indirect lethal victim of a cyberattack? Hospital was hacked, a patient had to be taken to a hospital in another city, with a tragic effect,” Olejnik tweeted on Thursday.
“Establishing causality is always [very] hard, so unclear BUT this potentially very serious indirect link.”