The Aachener Zeitung newspaper carried a report from the German Press Association (DPA) that Doppelpaymer’s eponymous ransomware had been introduced to the University Hospital Düsseldorf’s network through a vulnerable Citrix product.  The Federal Office for Information Security’s (BSI) report (in German), which specifically links the attack on Düsseldorf University Hospital to CVE-2019-19781,

“(BSI) announced last week that the corresponding security gap in Citrix software had been known since the turn of the year. This was a loophole in the Citrix VPN software known as ‘Shitrix’ (CVE-2019-19781),” reported Heise, suggesting that once the loader had been planted on the network, the ransomware gang then opened a backdoor through a non-Citrix route before deploying the actual malware months later.

What to do?

Readers who have Citrix in the cupboard are strongly recommended to check if they have an afflicted version of Citrix’s Application Delivery Controller, Citrix Gateway, or Citrix SD-WAN WANOP appliance and to patch as soon as possible.

Ransomware reality check: All IT departments need a security plan, starting with a strong data backup policy

What can you do to when this happens to you?

A few ransomware groups claim to avoid – or, at least, attempt to avoid – hitting hospitals and say they will provide a decryptor cost should their aim ever be off. Unfortunately, however, even with that decryptor, recovering systems is not a speedy process and a hospital may not be able to fully return to normal operations for quite some time – and that’s the time during which people could die.”

The Doppelpaymer gang has previously targeted defense and aerospace companies’ supply chains. They are said to have links to Russia, though appear to be a private operation holding vital data to ransom in search of a profit, rather than a state-backed nasty.


This USVBA Cyber Alert is provided by our partner, 171 Comply. Please visit their website to learn more about CMMC and their services.