Julio Rivera: How a Ransomware Attack Became Murder in Germany

Paramedics in Germany were called to the home of a 78-year-old woman suffering from an aortic aneurysm on September 11th. What was supposed to be a routine trip the hospital took a turn for the worse when the paramedics were told they couldn’t take the woman to the nearest university hospital. The accident and emergency department was closed, so that they couldn’t take her.

Instead, the woman was sent to the Helios University Hospital. The hospital was around 32 kilometers (20 miles) away. The journey took over an hour, meaning the patient didn’t get the treatment she needed to survive. She, unfortunately, passed away not long after reaching the hospital.

When Cyberthreats Threaten Your Life

The events that led to the tragic death caught the attention of cybercrime detectives. The reason that the local hospital couldn’t accept the woman was because of a ransomware attack. Hackers had encrypted data at the hospital and demanded a ransom, meaning that the hospital couldn’t help those who needed it.

The ransomware attack that night compromised the digital infrastructure powering the hospital. The hospital used technology to coordinate beds, doctors, and treatment, meaning that hundreds of procedures, including operations, were canceled. The attack also drastically reduced the capacity of the hospital. They could only treat around half of the 1,000 patients-per-day they would typically get. The hospital was forced to close its doors and turn away new admissions to focus on those already inside.

There was speculation after the attack that it could be considered the first death caused by ransomware. Prosecutors prepared to chase the hackers, assuming they could be found and identified and charge them with negligent homicide. Negligent homicide covers the act of killing someone without malice or through negligence. The prosecutors would have to prove legal causation, meaning that they would need to prove the attack – and the delay in treatment it caused – was sufficiently responsible for the patient’s death.

The Investigation Begins

Prosecutors in Cologne spent two months investigating the case but found insufficient evidence to continue pursuing the matter. The ransomware was part of the case, but the law meant it would be impossible for the hackers to be blamed for the death.

The hospital first noticed the attack in the early hours of September 10th, but there’s no telling when it began. The internal networks at the hospital are such an expansive staff could have been using them for days before encountering a compromised file. The ransomware entered the system through a Citrix vulnerability and went to work corrupting files and disrupting normal operations. The hospital insists the vulnerability in question was patched back in January when the patch was first released. Still, it’s possible the ransomware was installed before the patch was released, meaning that the patch wouldn’t have helped.

The Hackers Attacked the Wrong Target

Local reports suggest the attack was misdirected. The evidence for this is that the ransom note discovered by the hospital addressed not the hospital but the Heinrich Heine University affiliated with it. The attackers even offered the encryption key to the police when they learned that the hospital was hit and not the university. However, experts warn that providing the decryption key was just a publicity stunt. Hackers do anything they can for money. It’s possible the public attention generated by hacking a hospital was too much for the group, who looked for any out they could get.

Despite efforts by the hackers to undo everything, the damage was already done. The decryption took a long time to process, meaning that the system was still down by September 20th, even though decryption efforts started on the 11th. Even email systems were down at the hospital. The problem was that there was so much data affected by the attack, which compromised 30 servers. The hospital also had to launch an examination into security systems to prevent attacks in the future, and some networks are still getting reinforced. 

It is possible that, when considered from a medical perspective, the ransomware attack contributed to the death of the woman, even if only trivially. This isn’t enough evidence to establish the legal causation necessary for a negligent manslaughter conviction. The standard of proof for Germany means that prosecutors would have to show the attack played a “decisive” role in the death.

Did the Ransomware Lead to the Patient’s Death?

Germany establishes causation using a process similar to the “but for” test used by British courts. This means that the victim would have survived had it not been because of the ransomware attack. The prosecutors would also need to tie the death to the hackers legally. It isn’t unthinkable that such a thing would be possible. Still, it isn’t always easy to establish legal precedents and grounds in the event of a victim having a life-threatening illness. There were too many variables to say that the hack played a definitive role.

 Authorities conducted a detailed investigation, including consulting medical professionals, an autopsy of the woman, and a minute-by-minute breakdown of what happened that night. They conclude that the woman’s condition was so severe that she would have died even if she had been admitted to the first hospital. The delay in treatment didn’t contribute significantly to the ultimate outcome. It was determined that her medical condition was the sole cause of death, which was independent of the hack. Authorities compared it to hitting a dead body with your car; you may technically be breaking the law by speeding or driving dangerously, but you didn’t kill the person in the first place.

Authorities must now chase the hackers on the standard charges of hacking and blackmail, but even that won’t be easy. It will be challenging to identify the attackers and charge them with the crime, given so many hacking groups are based out of Russia. Russian authorities are notorious for protecting hackers against extradition. The attackers used Doppelpaymer ransomware for the attack, which has been tied to Russian hacking groups. 

German authorities feel it is only a matter of time before ransomware directly contributes to someone’s death. If the patient were suffering from a less severe condition, the attack would have been a more decisive factor. Being denied access to treatment can have significant implications for those who need medical assistance. Charging hackers with manslaughter could set a precedent for similar cases in the future, giving prosecutors more tools to fight against cybercrimes.

Setting a Precedent

The main challenge will be the burden of proof. Legal causation is established whenever someone dies earlier, even if b just a few hours, due to an attack. However, proving this is no easy feat. It wasn’t possible to verify that the patient in Dusseldorf would have survived, even for a few more hours, if not for the attack. Even so, it’s always a possibility that attackers could be charged with manslaughter.

Another vital thing to consider is that the long arms of the law can stretch much further if causation were established. Rather than just prosecuting the attackers, they could chase down and prosecute anyone involved with the attack. For example, authorities were prepared to consider the culpability of the IT staff at the hospital. Could they possibly have prevented the attack or reduced the damage caused by keeping a closer eye on the network?

The growing rate of attacks on hospitals is a cause for concern. Over 750 healthcare providers in the United States were hit by ransomware last year. The pandemic has only shed more light on these cases.

Interpol released a warning in April before the federal authorities in America warned of an increased cybercrime threat for healthcare providers and hospitals. It’s logical that some lives will likely be lost when one leverages them for money, especially when the official advice is not to pay such ransoms.

While these hackers may never be prosecuted for their part in the death, the attack is a stark warning about the potential dangers of cybercrime. There’s a big difference between attacking a private computer and only affecting one person and attacking a medical infrastructure and putting hundreds of lives at risk. The attack warned hospitals that they need to step up their security efforts and also warned hackers that their ransomware could do far more than just financial damage.