May 6, 2020

Fresenius, Europe’s largest private hospital operator and a major provider of dialysis products and services that are in such high demand thanks to the COVID-19 pandemic, has been hit in a ransomware cyber attack on its technology systems. The company said the incident has limited some of its operations, but that patient care continues.

Based in Germany, the Fresenius Group includes four independent businesses: Fresenius Medical Care, a leading provider of care to those suffering from kidney failure; Fresenius Helios, Europe’s largest private hospital operator (according to the company’s Web site); Fresenius Kabi, which supplies pharmaceutical drugs and medical devices; and Fresenius Vamed, which manages healthcare facilities.

Overall, Fresenius employs nearly 300,000 people across more than 100 countries, and is ranked 258th on the Forbes Global 2000. The company provides products and services for dialysis, hospitals, and inpatient and outpatient care, with nearly 40 percent of the market share for dialysis in the United States. This is worrisome because COVID-19 causes many patients to experience kidney failure, which has led to a shortage of dialysis machines and supplies.

On Tuesday, a KrebsOnSecurity reader who asked to remain anonymous said a relative working for Fresenius Kabi’s U.S. operations reported that computers in his company’s building had been roped off, and that a cyber attack had affected every part of the company’s operations around the globe.

The reader said the apparent culprit was the Snake ransomware, a relatively new strain first detailed earlier this year that is being used to shake down large businesses, holding their IT systems and data hostage in exchange for payment in a digital currency such as bitcoin.

Fresenius spokesperson Matt Kuhn confirmed the company was struggling with a computer virus outbreak.

“I can confirm that Fresenius’ IT security detected a computer virus on company computers,” Kuhn said in a written statement shared with KrebsOnSecurity. “As a precautionary measure in accordance with our security protocol drawn up for such cases, steps have been taken to prevent further spread. We have also informed the relevant investigating authorities and while some functions within the company are currently limited, patient care continues. Our IT experts are continuing to work on solving the problem as quickly as possible and ensuring that operations run as smoothly as possible.”

The assault on Fresenius comes amid increasingly targeted attacks against healthcare providers on the front lines of responding to the COVID-19 pandemic. In April, the international police organization INTERPOL warned it “has detected a significant increase in the number of attempted ransomware attacks against key organizations and infrastructure engaged in the virus response. Cybercriminals are using ransomware to hold hospitals and medical services digitally hostage, preventing them from accessing vital files and systems until a ransom is paid.

On Tuesday, the Department of Homeland Security‘s Cybersecurity and Infrastructure Security Agency (CISA) issued an alert along with the U.K.’s National Cyber Security Centre warning that so-called “advanced persistent threat” groups — state-sponsored hacking teams — are actively targeting organizations involved in both national and international COVID-19 responses.

“APT actors frequently target organizations in order to collect bulk personal information, intellectual property, and intelligence that aligns with national priorities,” the alert reads. “The pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For example, actors may seek to obtain intelligence on national and international healthcare policy, or acquire sensitive data on COVID-19-related research.”

Once considered by many to be isolated extortion attacks, ransomware infestations have become de facto data breaches for many victim companies. That’s because some of the more active ransomware gangs have taken to downloading reams of data from targets before launching the ransomware inside their systems. Some or all of this data is then published on victim-shaming sites set up by the ransomware gangs as a way to pressure victim companies into paying up.

Security researchers say the Snake ransomware is somewhat unique in that it seeks to identify IT processes tied to enterprise management tools and large-scale industrial control systems (ICS), such as production and manufacturing networks.

While some ransomware groups targeting businesses have publicly pledged not to single out healthcare providers for the duration of the pandemic, attacks on medical care facilities have continued nonetheless. In late April, Parkview Medical Center in Pueblo, Colo. was hit in a ransomware attack that reportedly rendered inoperable the hospital’s system for storing patient information.

Fresenius declined to answer questions about specifics of the attack, saying it does not provide detailed information or comments on IT security matters. It remains unclear whether the company will pay a ransom demand to recover from the infection. But if it does so, it may not be the first time: According to my reader source, Fresenius paid $1.5 million to resolve a previous ransomware infection.

“This new attack is on a far greater scale, though,” the reader said.

Update, May 7, 11:44 a.m. ET: Lawrence Abrams over at Bleeping Computer says the attack on Fresenius appears to be part of a larger campaign by the Snake ransomware crooks that kicked into high gear over the past few days. The report notes that Snake also siphons unencrypted files before encrypting computers on a network, and that victims are given roughly 48 hours to pay up or see their internal files posted online for all to access.


38 thoughts on “Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware

  1. George1421

    The penalty for this should be manslaughter. Just because yo are at a keyboard and not in the patient room doesn’t make a difference.

    1. David

      Manslaughter applies only when conditions exist that the perpetrator did not knowingly endanger life. These creeps do what they do precisely because, by putting lives in danger, they increase the immediacy of their threats. So, murder. We will not limit such activity until everybody, not a few somebodies, begins to understand the seriousness of the issue, and stops blaming victims of criminals for the damage the criminals inflict on individuals, companies and society. That, of course, would require a complete re-thinking of our attitudes towards the internet and, “privacy.” Just as most people no longer need to live behind castle walls and moats to feel more or less secure in our lives, it is long past time where we stopped blaming people with computers for not, “securing,” themselves adequately against state of the art attacks. The attackers, not the victims, are the problem. The very first place long owed taxation on internet companies, including providers, should be expended is on programs, people and governments aimed at apprehending and seriously punishing the criminals involved. Instead, we denounce the victims, and even celebrate the skills of the criminals. Until we add some serious risk for those who commit the crimes, we are condoning their actions.

      1. Kat

        Knowingly messing with the major provider of dialysis which must be done on a regular basis is more than just manslaughter.

        Those responsible need to be as they say fucked up bigtime

      2. Benny Calvo

        Yeah, all the world governments should place the death penalty for all cyber crimes against humanity.

        1. admin user

          that would be instantly abused by the authorities.

  2. BubbaHoTep

    There is not enough of a deterrent for ransomware and other destructive attacks. The risk vs reward is heavily in favor of the criminals.

    Improve capabilities to tracking payments and apprehending the criminals. Make penalties much more punitive. Attacking critical infrastructure should be classified as terrorism. If physical harm is related to the attack, then assault, attempted murder, and/or murder charges should be on the table.

    1. Joe

      The ideals of “justice by deterrence” is pretty flawed and not practical in the real world.
      The biggest reason is jurisdiction. There is no punishment for the vast majority, because they’ll never get arrested, let alone extradited and prosecuted.
      No

      But even then… deterrence can only go so far. It is limited in its practical application, and effect on people.
      The chance of getting caught is low. So even the death penalty would not deter the majority of cybercriminals. Nor would threat of torture.

      Even if enforcement were to increase along with penalty, so that change of getting caught was much higher…. there are still limits on deterring criminality.
      If the rewards are high, it will be worth it for many many criminals. In the cyber world, there only needs to be a few hundred career criminals to account for a lot of crime. Its not like they need to show up in person.
      So deterrence, even if effective, only filters some of the people out of the criminal world… leaving fewer, but more profitable cyber criminals.

  3. 44th

    These criminals hide behind borders and bitcoin while attacking hospitals and the rest of us in the middle of a crisis. Just disgusting. The resources these victims spend on dealing with this could be much better spent on patient care.

  4. Reader123

    How low of a scum-bag do you have to be, to be targeting hospitals / healthcare system at this time? I mean I know attackers could go to any level for financial benefits but this is definitely lower than I imagined.

    1. Joe

      Hate to say it… but there is a conspiracy theory being floated by conservative groups, at least in the US… that hospitals are lying about COVID-19 to get more money.

      Even without any merit, these conspiracy theories are irresistible to cyber criminals who eat them up to justify their actions. They merely tell themselves that these are just greedy corporations.

  5. The Sunshine State

    Another great, informative article !

  6. Mikey Doesn't Like It

    I share everyone’s anger; the people behind these attacks are terrorists and should be treated as such.

    But sadly, most comments here seem ignorant of the realities we must face…

    1. Most perpetrators are located in countries that would never extradite anyone to the U.S., treaty or not. We have no way at all to deal (appropriately with those criminals.)

    1a. Likewise, a handful of equally uncooperative countries host banks that serve as money laundering mules. They, too, hinder our ability to track (let alone recover) funds lost to ransomware, BEC, etc.

    2. Ransom payments are now all done via Bitcoin — criminals’ best friend. It’s almost impossible to trace where that money winds up, and once it’s been paid, it’s gone. You know the rest.

    Authorities at all levels (both here and in many other good countries) would LOVE to arrest, punish and recover, as comments here suggest. But given the above limitations, the odds are all stacked in favor of the criminals.

    BUT…

    There IS one thing we can do now that could sharply reduce the success rates of ransomware, BEC, etc. And that is to SERIOUSLY improve how we educate employees (and even private users) about “safe computing.”

    Yes, there are companies that produce all sorts of videos, posters, etc., to “educate” employees. But they’re only one limited step. Organizations that have produced their own CREATIVE, LONG-TERM programs have had much more success in minimizing their risk because their people not only “get it,” but they receive enough “reminders” (and support) that the risk levels are much, much lower.

    We have to make a realistic start somewhere — and until we’re able to address points 1-2 above, that’s the best way to do it.

    1. Ricky

      Sorry your wrong. Shut down the money path BITCOIN. Then trace the perps and shoot them on Pay Per View. This would be a start of a strong deterrent. Might even STOP this crap. .

      1. Joe

        No Ricky, you are wrong. You don’t understand how any of this works. Specifically, how cryptocurrencies work or how criminals work.

        BTC is one of many… shut it down, and another takes its place in milliseconds. Many have already switched to coins such as Monero. There are infinite possible cryptocurrencies that have built in privacy features to which criminals will simply switch.

        Deterrence has ZERO effect on the cyber criminals who know they won’t be caught. For them, it is as simple as following the cardinal rule, don’t hack in a country that would extradite. Duh. That’s why deterrence is only limited by jurisdiction…. and even the highest of penalties result in selecting out cyber criminals in some places, and concentrating them in places like Russia.

    2. admin user

      the irony is, the state security apparatus (NSA / five eyes etc) know exactly who / where these people are.

      if US citizens got their money’s worth from government spying, the least the spies could do is track down those perpetrators of ransomware.

      after all, five eyes originally wrote the malware to begin with.

      and maybe provide a service where, when when we accidentally delete our data or lose passwords, 5eyes restore our data from their servers in the nevada desert…

      those who trade liberty for security deserve something besides snoopy webcams.

    3. Lee Curmudgeon

      Who says governments have to act “appropriately with those criminals”?

      After all they are enemies.

      They can be dealt with “inappropriately”, i.e. targeted like Iranian general Qassem Suleimani.

      Just dealt with in a less obvious manner than a drone.

      1. Joe

        Rule of law, war crimes, Geneva convention, Due Process,…. take your pick.

        It’s easy to say that these guys don’t deserve a day in court… until the minor laws you bend or break also become draconian.
        Most people don’t read laws and statutes to know… but there is no such thing as a perfectly law abiding citizen. Check your local law, you’re breaking something.

        And if you suspend due process of law for more serious felonies… can you really trust the system to keep your rights after you’ve forfeited some of them.

  7. Kevin

    Parkview Medial Center should be “Medical”

  8. Wayne

    What happened to that “cybercriminals pledge to not attack hospitals with ransomware during pandemic” article from a couple months ago?

    Wait, you mean criminals aren’t trustworthy and don’t stick to their word? Or was that pledge only valid in the USA?

    Color me shocked.

  9. CyberWar311312

    The partial solution to Ransomware is:

    BAN THE USE OF CYBERCURRENCY and or
    make all use TRANSPARENT and the Laundering of it

    1. Joe

      Who would ban it?
      Unless there is a world government with absolute unlimited jurisdiction… its not possible. It takes seconds to move money to other jurisdictions where they won’t ban it.
      These cyber criminals are not using crypto exchanges in the US… they go to where it is still easy and legal, and will always be easy and legal.

  10. Cryptofanatic

    Btc Price ise a about to Go to Moon soon!
    Every time When ransome attacks occured then few Weeks After btc Will Go to Up!

    1. Joe

      Actually, the opposite.

      After major crime that uses cryptocurrency, governments and banks increase scrutiny, and the price of BTC goes DOWN.

      SELL, SELL, SELL!

  11. Louis Leahy

    These cyber criminals no doubt consider themselves as cyber warriors as justification for their actions one wonders if in taking such great risks to ply their trade whether they realise these are war crimes under international law and they could be subject to extradition from most jurisdictions to face a permanent life in jail and in some places (not that I agree with it) they could be subject to the death penalty. Some countries that have abolished the death penalty have retained it for war crimes. In most jurisdictions there is no time limit on criminal acts and these are the most egregious in cyberwar and in all likelihood they will be pursued as Journalist like Krebs continue to draw attention to these shocking attacks on critical health systems.

    1. DelilahTheSober

      I actually emailed the White House a few weeks ago suggesting that it was time to reconsider changing the existing Federal laws that put a 5- year statue of limitations on bank robbery. (This is what happens when people like me get sent home to wait out the coronavirus. I’ve been bingewatching an FBI documentary series on Netflix and I was fascinated to learn that this kind of a statue of limitations existed.)

      1. Joe

        Even with federal statute of limitations… the state laws will get them anyway. Also, it is rare that a person would only get charged with one felony…. the federal prosecutors are pretty good at tacking on several charges. Like tax evasion on that stolen money. It’s pretty funny actually… as evading authorities for 5 years has its own criminal penalties, so much so that running out the clock for the statute of limitations does not really have a benefit for the criminal.

  12. chanC4

    hey acorn, can u comment further on what I see on your link? thnx

    1. acorn

      It’s a record of file communications detected outside the FRESENIUS MEDICAL CARE HOLDINGS, INC network that are communicating, to some extent, with a network address of the organization. It’s detected as Emotet malware–which goes by various additional alias names. Another source lists the network address is a mail exchanger of the organization, a common entry point for ransomware.
      Detected on the dates of:
      2019-09-13
      2019-10-07
      2019-08-22
      2019-10-06
      2019-12-24

  13. JCitzen

    I don’t care if they have to nuke these bastards from space. This is way worse than Pearl Harbor and 911 put together. The egregious nature of it is just TOO compelling!!

    1. Joe

      Is that why we have a space force now?

      Nah, as bad as this is, 9/11 and Pearl Harbor are on another level. Yeah, I suppose the act of targeting hospitals brings shows an extra bit of evil since they are more vulnerable. But the scope isn’t the same, as the number of possible/intended casualties aren’t nearly as much.

      1. Jonathon

        Pearl Harbor Casualties: 2,335
        9/11 Casualties: 2,996
        Total: 5,331

        Fresenius Helios, which runs hospitals, cares for 4 million patients annually. If we use just a three-month sample of that, we get a million patients. Generally speaking, Covid-19 kills about 1% of the people it infects, there could be 10,000 potential deaths in Fresenius hospitals from Covid-19 alone. Of course, the number could be higher, as people in hospitals are generally going to be more susceptible to secondary infections….

        The basic number of 10,000 potential deaths makes this cyberattack roughly 50% more potentially devastating than 9/11 and Pearl Harbor combined, if we are merely talking about the number of dead people. The spokesman said that patient care continues, but Brian’s anonymous source says that “a cyber attack had affected every part of the company’s operations around the globe.”

        1. Joe

          That is very weird math that makes a lot of assumption.

          To be equally fair to the comparison, the potential deaths in 9/11 and Pearl Harbor… would be millions. Because given your same broad criteria of “potential”, you would have to include the entire population of Oahu and Manhattan.

          Your math, is NOT how you do statistics. Not every patient will die if the IT systems go offline. That’s absurd. In reality very few would.

          Not saying this ransomware crime isn’t egregious, but really… comparing to 9/11 and Pearl Harbor is pretty hyperbolic.

Comments are closed.