Ransomware holds data hostage in two German hospitals

A ransomware campaign has hit two German hospitals, soon after another ransomware campaign hit a Los Angeles medical centre, and the clean up is set to take weeks.

Two more German hospitals have been hit with ransomware
Two more German hospitals have been hit with ransomware

Two German hospitals have fallen victim to a ransomware attack that has left them unable to access their systems. It is thought the clean-up operation to remove all traces of the malware could take weeks.

According to a report by German broadcaster Deutsche Welle, the attack took place two weeks ago at the Lukas Hospital in the city of Neuss. Another attack took place at the Klinikum Arnsberg hospital which is located in North Rhine-Westphalia. It is not known if the two attacks are related.

According to Lukas Hospital spokesman Dr. Andreas Kremer, once it was realised that an attack was taking place, the hospital “pulled the plug on everything”.

The attack also meant that an X-ray system needing to access data couldn't function as the data it needed was encrypted. This was after IT staff at the hospital noticed pop-up warnings on systems as well as a general slowness on the network.

"Our IT department quickly realised that we caught malware that encrypts data,” spokesperson Dr. Andreas Kremer told DW. “So if the X-ray system wants to access system data, it failed to find it because it's been encrypted, so it displays an error message.”

The attack also sent an email server offline. This meant that the hospital advised patients to call them or send a fax instead. Some high risk surgical operations were suspended for the time being.

The ransomware attack at the Klinikum Arnsberg was thought to have occurred after a member of staff accidentally opened an email carrying the malware. Staff detected the malware on a server and shut down the entire system to stop the spread.

"Fortunately, it was only one server that was affected. The virus had started to encrypt files, but we could simply restore them from a backup," Klinikum Arnsberg spokesperson Richard Bornkeßel told DW.

The report also said that at least one other hospital in the same state has succumbed to a similar attack. None of the hospitals has paid any demand to criminals and have reported the matters to local law enforcement.

Jonathan Levine, CTO at Intermedia, told SCMagazineUK.com that when one system is down, a business can usually limp along with alternate systems.

“The risk of a ransomware attack is that everything that connects to the network -- file systems, email systems, even phones -- may have to be taken offline, and modern businesses simply can't function anymore with just pen and paper,” he said.

“It's clear that people responsible for corporate systems need to add ransomware to the scenarios contemplated in their Disaster Recovery plans. Mitigating this will require IT departments to make provisions for accessing critical business information quickly and reliably even after file servers and workstations have been compromised.”

Candid Wüest, threat researcher at Symantec, told SC that it's important to ensure all organisations take an information-centric approach to securing their data.

“The healthcare industry has demonstrated increased focus on protecting patient records and personal data,” he said.

“However, this is increasingly becoming more challenging due to the introduction of multiple medical devices such as defibrillators and MRIs, which are connected and exposed to the internet. As a result, attackers could obtain unencrypted data, manipulate or even go so far as to disable these devices, resulting in serious consequences.”

Matthias Lichtenegger, German country manager at Savvius, told SC that it looks like a lot of systems in this hospital have been affected. “The Police are investigating each one, once this process has been completed it then needs to be cleaned and booted up. It is a long winded step-by-step process.

“You cannot merely restore the backup, because you don´t know which day has the ransomware on it and which one not. If you just restore the latest, you'll be sure to have the Ransomware problem again. If you lose important patient data, then nothing is gained,” he said.

Sign up to our newsletters