Virus e-mail paralyzes IT at Fürstenfeldbruck Hospital for over a week

By an e-mail with an alleged invoice in the attachment, 450 computers of the Fürstenfeldbruck Clinic were temporarily rendered unusable at the beginning of November [1]. The removal of the pest took over a week.

 

Patients lost to neighboring hospitals

For capacity reasons, the hospital had to deregister from the integrated control center. Meanwhile, patients and treatments were recorded on paper and doctors’ letters were written by hand. The economic effects are not yet foreseeable, but are likely to be painful in view of the already minimal surplus [2].

 

The cause is an Office file with macros

The source of infection is suspected to be an e-mail virus of the type Emotet [3], which pretends to be an invoice and tricks its victim into believing that it is necessary to click on “Enable content” after opening it. This triggers a macro that can then load and execute further malware.

In order for the infection to succeed, the assistance of the recipient is necessary. In the best German and from supposedly trustworthy senders (telecom, business partners), the recipient is therefore told a story of invoice corrections due to incorrect VAT. In this way, the human recipient is first “infected” so that the computer virus can then spread.

 

Virus protection ineffective

We know from our own experience that classic anti-virus products are ineffective against such attacks, which is why we adjusted our filter policy back in spring 2016 to block Office files with macros as a precautionary measure. Since then, we have been refining this filtering again and again. In addition, SecuMail implements all the recommendations of the German Federal Office for Information Security [4], which can be implemented by an external filter solution.

 

SecuMail prevents

In contrast to anti-virus programs, which first have to identify a file as known to be malicious before it becomes active, SecuMail thinks and acts more like a firewall:

• SecuMail immediately forwards e-mails with common and harmless attachments
• Files that could contain malware are retained, the recipient is informed
• Withheld e-mails can be released by colleagues in IT

This ensures that dubious files are opened via a 4-eyes system that such mails are not opened naïvely. Experience has shown that the delivery of the notification “potentially dangerous e-mail withheld” is sufficient to sensitize the recipient and to question the authenticity and plausibility of the e-mail.

 

 

 

[1] https://www.br.de/nachrichten/bayern/fuerstenfeldbruck-computerausfall-im-klinikum,R9THGbV

[2] https://www.sueddeutsche.de/muenchen/fuerstenfeldbruck/polizei-ermittelt-virus-im-krankenhaus-1.4213201

[3] https://www.heise.de/security/meldung/Trojaner-Achtung-bei-angeblichen-Rechnungen-4219043.html

[4] https://www.allianz-fuer-cybersicherheit.de/ACS/DE/Micro/E-Mailsicherheit/emotet.html