Icon: enlarge
Ransomware victim University Hospital Düsseldorf
Photo: Roland Weihrauch / dpa
A year ago it was only a subordinate clause, now it is an explicit warning: Ransomware is not only a serious risk for companies, but also for public institutions such as hospitals and educational institutions.
In the situation report published on Tuesday by the Federal Office for Information Security (BSI), two examples are highlighted separately: Hospitals in Rhineland-Palatinate and Saarland were "significantly impaired in their supply performance" by an encryption Trojan at their joint IT service provider in the report.
A university's network, including its backup servers, was so thoroughly infected with the Clop ransomware that the university decided to pay the requested ransom of 30 Bitcoin - because "it was to be assumed, for example, that research results would be irretrievably lost ".
At the time, 30 Bitcoin was equivalent to around 200,000 euros.
The university concerned is not named in the BSI report, which relates to the period between June 2019 and May 2020, but all information matches the incident at Maastricht University, which publicly admitted the incident.
Damage caused by ransomware can be "existence-threatening"
The BSI recommends "in principle not to pay a ransom in order not to support the 'business model' ransomware and not to motivate further attacks on other targets".
At the same time, the authority emphasizes that the damage caused by ransomware can be "existence-threatening": "The total damage incurred to the companies and institutions concerned is also usually much greater than any ransom that may have been paid, as an IT failure in addition to the sometimes considerable Costs to clean up and restore systems incur different additional costs. "
Adam Meyers of the IT security company CrowdStrike said in an interview with SPIEGEL: "The ransomware activities are absolutely out of control. We are seeing a dramatic increase month after month this year. Health care providers and pharmaceutical companies are regularly attacked".
At the beginning of the year, two ransomware groups had promised to spare medical facilities during the corona pandemic, but Meyers says: "They know that hospitals are more likely and faster than other victims to pay because they have to ensure the care of patients".
Lack of awareness at management level
The BSI urges the health sector to do better prevention - also because the "business model" of ransomware has changed.
Some ransomware groups have started not only to encrypt the victim's data, but also to copy it beforehand and threaten to publish it.
It is a response to improved data protection strategies that ensure systems can be quickly restarted after a ransomware attack.
The BSI therefore recommends, among other things, "a systematic, rule-based monitoring of data transfer".
In this way, "the outflow of unusually large amounts of data can be recognized and prevented at an early stage".
In addition, the authority advises to keep the number of externally accessible systems and authorized persons to a minimum and to segment networks in order to slow down the spread after a successful attack.
According to their findings, the reality looks different, especially in the area of health care: Although many operators would implement technical IT security measures, "in the implementation of organizational IT security measures, however, there is still room for improvement" due to the lack of awareness of the management level with regard to the IT security ".
The hospitals in Rhineland-Palatinate and Saarland were by no means an isolated case.
This was recently proven by the ransomware attack on the Düsseldorf University Hospital.
No area of critical infrastructures sent more reports to the BSI in the reporting period than the health sector.
Most of the reports referred to "a technical failure", but reports about cyber attacks follow in second place.
Icon: The mirror