Two German hospitals have fallen victim to a ransomware attack that has left them unable to access their systems. It is thought the clean-up operation to remove all traces of the malware could take weeks.
According to a report by German broadcaster Deutsche Welle, the attack took place two weeks ago at the Lukas Hospital in the city of Neuss. Another attack took place at the Klinikum Arnsberg hospital which is located in North Rhine-Westphalia. It is not known if the two attacks are related.
According to Lukas Hospital spokesman Dr. Andreas Kremer, once it was realised that an attack was taking place, the hospital “pulled the plug on everything.”
The attack also meant that an X-ray system needing to access data couldn't function as the data it needed was encrypted. This was after IT staff at the hospital noticed pop-up warnings on systems, as well as a general slowness on the network.
"Our IT department quickly realized that we caught malware that encrypts data,” Kremer told DW. “So if the X-ray system wants to access system data, it failed to find it because it's been encrypted, so it displays an error message.”
The attack also sent an email server offline. This meant that the hospital advised patients to call them or send a fax instead. Some high risk surgical operations were suspended for the time being.
The ransomware attack at the Klinikum Arnsberg was thought to have occurred after a member of staff accidentally opened an email carrying the malware. Staff detected the malware on a server and shut down the entire system to stop the spread.
"Fortunately, it was only one server that was affected," Klinikum Arnsberg spokesperson Richard Bornkeßel told DW. "The virus had started to encrypt files, but we could simply restore them from a backup."
The report also said that at least one other hospital in the same state has succumbed to a similar attack. None of the hospitals has paid any demand to criminals and have reported the matters to local law enforcement.
Jonathan Levine, CTO at Intermedia, told SC that when one system is down, a business can usually limp along with alternate systems.
“The risk of a ransomware attack is that everything that connects to the network – file systems, email systems, even phones – may have to be taken offline, and modern businesses simply can't function anymore with just pen and paper,” he said.
“It's clear that people responsible for corporate systems need to add ransomware to the scenarios contemplated in their disaster recovery plans. Mitigating this will require IT departments to make provisions for accessing critical business information quickly and reliably even after file servers and workstations have been compromised.”
Candid Wüest, threat researcher at Symantec, told SC that it's important to ensure all organizations take an information-centric approach to securing their data.
“The healthcare industry has demonstrated increased focus on protecting patient records and personal data,” she said.
“However, this is increasingly becoming more challenging due to the introduction of multiple medical devices, such as defibrillators and MRIs, which are connected and exposed to the internet,” she said. "As a result, attackers could obtain unencrypted data, manipulate or even go so far as to disable these devices, resulting in serious consequences.”
Matthias Lichtenegger, German country manager at Savvius, told SC that it looks like a lot of systems in this hospital have been affected. “The police are investigating each one. Once this process has been completed, it then needs to be cleaned and booted up. It is a long-winded step-by-step process. “You cannot merely restore the backup, because you don´t know which day has the ransomware on it and which one not. If you just restore the latest, you'll be sure to have the ransomware problem again. If you lose important patient data, then nothing is gained,” he said.