On December 24th, a severe ransomware attack hit three key hospitals in Germany, causing significant operational disruptions. The institutions impacted were Franziskus Hospital in Bielefeld, Sankt Vinzenz Hospital in Rheda-Wiedenbrück, and Mathilden Hospital in Herford, all part of the Catholic Hospital Association of East Westphalia (Katholische Hospitalvereinigung Ostwestfalen, KHE), a network that includes six facilities and employs 3,300 staff members across the country.
The Attack Details
An unidentified actor infiltrated the IT systems of these hospitals, encrypting data and compromising system functionality. The preliminary analysis indicated that LockBit 3.0, a sophisticated ransomware developed by the LockBit ransomware group, was likely responsible. Known as LockBit Black in its third iteration, this ransomware has been implicated in over 1,400 global attacks, including against major corporations like Boeing, the Industrial and Commercial Bank of China, DP World Australia, and Allen & Overy. Notably, LockBit recently exploited a patched Citrix zero-day vulnerability.
Stay One Step Ahead of Cyber Threats
Immediate Response and Impact on Hospital Operations
In response to the attack, all IT systems were immediately shut down, and a crisis team was formed to manage the situation. Despite the system lockdown, essential patient data remained accessible, allowing for continued patient treatment with minor technical limitations. However, the hospitals withdrew from emergency care, redirecting urgent cases to other facilities. Dr. Jan Schlenker, Managing Director of KHO, confirmed the continuation of patient care under these constrained conditions.
The Franziskus Hospital Bielefeld, Sankt Vinzenz Hospital Rheda-Wiedenbrück, and Mathilden Hospital Herford are key healthcare providers in their respective communities. The disruption of their services due to the recent cyberattack underscores the growing vulnerability of healthcare institutions to such threats.
The Broader Context of the Attack
LockBit operates on a ransomware-as-a-service model, allowing its affiliates to conduct attacks using its tools and infrastructure. This model has led to significant variations in the tactics, techniques, and procedures of LockBit attacks. The extent of the damage and whether any patient data or other sensitive information was stolen remain undetermined, as the LockBit ransomware gang has not yet added KHO to its extortion portal on the dark web. Recently, the group exploited a now-patched Citrix zero-day vulnerability, demonstrating their capability to leverage current vulnerabilities in their operations.
As of December 27, 2023, the LockBit ransomware gang has not listed KHO on its extortion portal on the dark web, leaving the question of whether patient data or other sensitive information was stolen unanswered. The extent of the damage caused by the incident remains unclear, and investigations are ongoing to determine the full impact of the attack.
Conclusion
This incident is a stark reminder of the growing cyber threats facing healthcare systems worldwide. The ability to quickly respond and maintain critical patient care in the face of such challenges is a testament to the resilience and preparedness of these institutions. However, the need for enhanced cybersecurity measures and continuous vigilance remains paramount to protect against such sophisticated attacks in the future.
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional
