Ransomware hits hospitals in a pandemic: a lesson for every security leader

In October 2020, several hospitals in Germany and other European countries were hit by ransomware attacks. In one case a hospital in Dusseldorf was forced to divert ambulances to other facilities after its systems failed. A patient died - the first officially documented death directly linked to a cyberattack.

Attacks on medical institutions during a pandemic are not random. They are calculated. A hospital in the middle of a COVID surge is under maximum pressure, has minimum time to respond, and has a higher willingness to pay a ransom than in normal times.

This matters not only for healthcare organisations.

What this has in common with your organisation

The attack pattern works like this: attackers choose a moment of maximum stress for the victim. Companies in crisis, organisations in the middle of a merger, businesses in peak season - all of them are less attentive to security signals at that moment, have fewer resources to respond, and face a higher cost if operations stop.

If you went through a fast shift to remote work in the spring, expanded your perimeter, brought in contractors with system access - you probably did that under high load, without a full audit of what had opened up.

Why ransomware is effective right now

Three things converged in 2020.

Expanded perimeter. Remote work created new entry points - home networks, personal devices, hastily configured VPNs. Many of these did not go through a proper security review.

Cryptocurrency payments became the norm. The ransom payment mechanism - anonymous, cross-border, difficult to trace - works reliably. This lowered the risk for attackers and increased the frequency of attacks.

Operational pressure. Companies and institutions have been running in constant crisis mode since March. Staff fatigue is a real vulnerability factor.

What to do regardless of company size

Ransomware is not only a large-organisation problem. Small companies are attacked at the same rate - it just does not make the news.

A few concrete steps that reduce the risk:

Backups in an isolated environment. The main ransomware vector is to encrypt not just data but also backups. Backups connected to the same network are vulnerable. You need copies that are physically or logically isolated.

Network segmentation. Getting into one part of the network should not automatically grant access to everything else. If you do not have segmentation, that is the first conversation to have with your IT team.

Phishing recognition training. Most ransomware attacks begin with phishing. One click from one employee. Training does not eliminate the risk entirely, but it shifts it.

An incident response plan. The moment of an attack is not the time to figure out who decides to take systems offline. That needs to be written down in advance.

Attacks during a crisis are not a new phenomenon. But 2020 has given us many concrete examples of what this looks like in practice. They are worth using.