German investigators blame Russian DoppelPaymer gang for deadly hospital attack

The investigation of German authorities on the recent attack on the Dusseldorf hospital reveals the possible involvement of Russian hackers.

Last week, German authorities revealed that a cyber attack hit a major hospital in Duesseldorf, the Duesseldorf University Clinic, and a woman who needed urgent admission died after she had to be taken to another city for treatment.

“The Duesseldorf University Clinic’s systems have been disrupted since last Thursday.” stated the Associated Press.

The treatment for the women was delayed for an hour that caused the death of the patient.

Now, in an update to lawmakers shared this week, prosecutors revealed that the malware family that hit the German hospital was the infamous Doppelpaymer ransomware.

The same ransomware family was involved in numerous attacks in the last months, including the security breach suffered early this month by UK research university Newcastle University.

DoppelPaymer ransomware has been active since June 2019, in November Microsoft Security Response Center (MSRC) warned customers of the DoppelPaymer ransomware and provided useful information on the threat.

Experts pointed out that the DoppelPaymer ransomware operators “according to private security firms, is based in Russia.”

Investigators believe that the real targey of the ransomware operators was the Heinrich Heine University in Duesseldorf that was affiliated with the hospital.

The attack caused systems gradually crashing, it paralyzed the operations at the hospital and emergency patients were hijacked in other structures while surgical operations postponed.

The hospital confirmed that there was no concrete ransom demand and reported that there are no indications that data is irretrievably lost.

German Hospital

The news agency dpa cited a report from North Rhine-Westphalia state’s justice minister that revealed the hospital was hit by a ransomware attack, which infected 30 servers at its network and an extortion note was found on one of the systems. The ransom note includes details to contact the attackers but doesn’t contain any sum.

Duesseldorf law enforcement contacted the ransomware gang and told them the hospital had been affected, endangering the life of patients. The ransomware operators then decided to withdraw the extortion attempt and provided a digital key to decrypt the data.

The justice minister’s report confirmed that the perpetrators are no longer reachable.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase