Russian Cyber Gang Linked to Hospital Hack That Resulted in Woman's Death

A hack on a German hospital that sparked delays resulting in a patient's death was possibly linked to a cybercrime gang with ties to Russia, officials say.

Investigators probing the computer intrusion said in a notice to lawmakers Tuesday the September 10 attack that left many systems offline or locked had been caused by a type of ransomware called DoppelPaymer, Aachener Zeitung reported.

Citing "private security firms," the report, filed by the Ministry of Justice of the German state North Rhine-Westphalia, suggested the ransomware had been used globally and previously traced to hackers that appeared to be based in Russia.

There have been no technical details released to back up the claim at the time of writing, and cyberattacks can be notoriously difficult to attribute to a single group. The malware used to attack computer networks can be traded among cybercriminals.

Systems at the University Hospital Düsseldorf (UKD) have suffered outages for almost two weeks after hackers breached a "commercial add-on software" on September 10, leaving the facility unable to offer emergency care or appointments.

A patient who needed urgent care the day after the hack passed away after being sent to a facility in another city roughly 20 miles away, delaying her treatment by an hour, the Associated Press reported. A criminal case was launched, and is ongoing.

Researchers from the anti-virus firm Avast said in August that DoppelPaymer was using "virus-themed email subject lines" as a new lure. Typically, ransomware can spread by email, springing into action if the victim clicks on a booby-trapped link.

Brett Callow, a researcher with cyber firm Emsisoft, said DoppelPaymer is a variant of another type of ransomware called BitPaymer, previously attributed to a group called "Evil Corp." Two alleged leaders of that group — Maksim Yakubets and Igor Turashev — were indicted by the U.S. Justice Department in December 2019.

Federal officials said Yakubets and Turashev, both Russian nationals, distributed a type of malware called Dridex that was "designed with the added function of assisting in the installation of ransomware," ultimately stealing millions of dollars from victims.

Analysis by independent cybersecurity experts has previously said the DoppelPaymer ransomware was being dropped to computers by the Dridex trojan.

According to NPR, Yakubets was suspected of orchestrating separate cybercrimes on behalf of the Russian state, potentially for the Federal Security Service (FSB).

Without providing exact evidence, a senior Treasury official said at the time: "Evil Corp and their Dridex software serves as yet another example of the Russian government enlisting the assistance of cybercriminals to carry out malign activities."

Exact links between Russian cyber-gangs and DoppelPaymer are unclear, but Callow suggested there is an overlap between previously-documented groups.

"DoppelPaymer is a fork of BitPaymer, and BitPaymer was attributed to Evil Corp," he told Infosecurity Magazine. "The nature of the relationship between DoppelPaymer and Evil Corp is not clear, but some co-operation has been observed."

Evidence, including an extortion note on one of the dozens of locked servers, suggested the target of the attack was actually Heinrich Heine University Düsseldorf.

Police reportedly used information contained inside the note to make contact with the culprits and informed them the hack had impacted the hospital. The attackers provided a key needed to decrypt the locked data, but have since been unreachable.

According to the AP, the ransom note demanded the victim to get in contact but did not say how much money it would cost to regain control of the servers.

Broadly, that fact matches with recent analysis on DoppelPaymer by Proficio, which said: "It's interesting to note that there is no ransom amount stated within the text file. Instead, a list of instructions was being provided to the victim to follow strictly.

"After the portal was accessed from the Tor browser, the victim would be provided with several key pieces of information, such as a countdown timer for a "special price"... the ransom amount and a BTC address where the ransom payment can be sent to."

In its latest statement, on September 18, officials said the Düsseldorf hospital was "still deregistered from emergency care and is not approached by the rescue service." The attempts to restore full access to the sabotaged systems are ongoing.

"As things stand today, we expect that we will be able to resume emergency care within the next week," said Prof. Dr. Frank Schneider, the medical director of the UKD.

University Hospital Düsseldorf
The university hospital stands on February 27, 2020 in Dusseldorf, Germany. A ransomware attack on September 10 caused widespread disruption to dozens of servers this month. Lukas Schulze/Getty