Unfortunately, the time has come to answer a question I get on a fairly regular basis. I didn't want to ever have to answer this question in a blog post. It's depressing, and a kind of alarmism to ring this bell, but we've reached a point where it can't be avoided anymore.
Many readers have asked "Has ransomware ever killed anyone?" Unfortunately, for both the ransomware authors and all the rest of us, the answer is now a definitive "yes."
Last week, according to BleepingComputer and several other news sources, University Hospital Düsseldorf (UKD) in Germany was struck with a ransomware attack. The attack resulted in the closure to new patients of their Casualty and Emergency Department (i.e. the Emergency Room); which led to the unfortunate need to re-direct inbound ambulance traffic to other hospitals as they could not accept new patients. This led to the death of one such patient - a woman who was en-route in an ambulance went the ER shutdown occurred; as the extra time needed to get to another ER caused life-saving treatment to be delayed, resulting in the patient dying on the way to the second ER.
Let me be clear here. For possibly the first time, but unfortunately probably not the last, a person has died as the direct result of ransomware. Unlike some previous incidents of emergency services being delayed/rendered inoperable by ransomware, this incident has a direct cause/effect relationship with a known fatality. The ER was closed as a direct result of the ransomware, the patient died because they could not be treated by the closest ER. Had the patient made it to the UKD ER, their chances for survival would have been significantly higher due to the fact that they would have been treated an hour sooner - well inside the "golden hour" that medical professionals consider vital to patient survivability after a medical emergency.
German prosecutors are moving forward with an investigation into charges of negligent homicide against the attackers for their role in the death of the patient. This underscores how German law enforcement is not considering this merely a financial crime, but a crime on par with a death that occurs as the result of drunk driving.
Threat actors launching ransomware attacks must be aware that the attacks themselves - even if targeted at non-critical infrastructure - can end up hitting hospitals through a myriad of ways. Patients with infected machines can join the hospital wifi. Self-propagating ("worm") type ransomware can jump from the network of some other business into the hospital network. Those who re-use one author's malware can purposely inflict it on healthcare networks to attack not only the targeted hospital but attack the original authors by making them part of the crime since their malware was used.
Additionally, we must not ignore security warnings because it would be inconvenient to the business to patch and correct problems. The hospital in question was attacked through the use of a known vulnerability in their networking systems. A patch for this vulnerability exists, and has been available for over eight months. A specific notification of warning had been issued by the vendor and by multiple security watchdog agencies in multiple countries. A workaround was also available for those systems that could not be immediately patched. The hospital did not patch, just as many businesses have not patched, even though attackers have been actively exploiting this vulnerability for months now. A human being lost their life because a criminal successfully attacked this hospital, but it was an attack that could have been prevented - making this story even more tragic. To be very clear, I blame the attackers for the death of this patient and no one else. They decided to launch an attack that they knew would take systems offline, and they must face the consequences of that action. The hospital could have prevented *this* attack, and this makes the incident even more horrible, but does not absolve the criminals who launched the ransomware in any way, shape, or form. They caused the death of a human being, and no laxity in patching can ever wipe away that crime.
We have reached the point where ransomware is no longer a weapon of disruption and destruction of data only. These software tools are now, definitively, weapons just as deadly as any weapon in the physical world. We must all work to limit the potential for these attacks to succeed anywhere; because they could spread to critical services like hospitals and emergency services. Patches must be applied, fixes and workarounds must be put in place, systems must be updated and replaced when they reach end-of-life. Users must be trained to recognize threat behaviors, must be trained on how to safely use online services, must be willing to learn and become part of the solution no matter their title, their position, their level of technical expertise. We must also work with law enforcement any time a ransomware attack occurs to help them track down the perpetrators before they strike at vital infrastructure and put peoples' lives at risk.
This is no longer a theoretical discussion, someone has died due to the fallout of a ransomware attack. They must be the last such person to die because of this scourge of threat activity. Only vigilance, testing, and the cooperation of all employees - technical and non-technical alike - can keep this one death too many from becoming the first in a horrific line of lost lives.