Attack on Life-Critical Systems

On September 18, 2020 at 08:55, Universitätsklinikum Düsseldorf fell victim to one of the most severe cyberattacks on hospitals in the world. Hacker group Evil Corp executed a targeted ransomware attack that completely paralyzed the hospital's IT systems within minutes.

The attackers had gained access through phishing emails and introduced Ryuk ransomware into the hospital's network. Electronic patient records, communication systems, and critical control systems all failed simultaneously. The hospital was forced to revert to paper-based procedures and manual emergency protocols. Hospital Director Simone Kehler later stated: "The attack disrupted life-critical processes and forced us to operate on paper."

A Tragic Delay

Just two hours after the attack began—around 10:29—the situation turned deadly. A 75-year-old woman in critical condition with multiple organ failure desperately needed intensive medical treatment. Normally, she would have been treated at Universitätsklinikum Düsseldorf, but the hospital's IT failure made it impossible to admit emergency patients.

The planned helicopter transfer to Cologne University Hospital, approximately 40 kilometers away, could not be coordinated due to the system outage. Instead, the patient was transported by ambulance to the hospital in Wuppertal, 25 kilometers away. The additional delay and longer transport distance proved fatal for the severely ill woman. She died on September 19, 2020, during transport or shortly after arriving at Wuppertal—becoming the first documented death globally caused by a ransomware attack.

Investigation into Evil Corp

The Düsseldorf State Prosecutor's Office launched a comprehensive investigation under case number 147 UJs 304/20. In cooperation with the German Federal Criminal Police (BKA), hacker group Evil Corp was identified as the perpetrator. The group is led by Russian national Maksim Yakubets, born 1987, known by the hacker alias "Aqua." He had been on the FBI's wanted list since December 2019.

North Rhine-Westphalia's Interior Minister Herbert Reul characterized the attack as "an attack on human life" during a press conference on September 23, 2020. He described it as "the first globally documented death from ransomware"—an assessment later confirmed by Europol in their IOCTA report 2021.

Despite intensive international investigations, no convictions were secured in Germany until 2026. The US imposed sanctions on Yakubets in December 2020 and offered a five million USD reward for information leading to his arrest. Europol launched Operation Gold Dust in 2022, a coordinated campaign against Evil Corp.

Global Consequences for Critical Infrastructure

The Universitätsklinikum Düsseldorf case marked a turning point in cybersecurity awareness within healthcare. The hospital's IT systems remained offline for 11 days—an unprecedented outage for an institution of its size.

North Rhine-Westphalia established a Cybersecurity Center for Healthcare in 2021 to better protect clinics. At the European level, the case accelerated legislation. The EU's NIS2 Directive from 2022, implemented in Germany in 2024, now classifies hospitals as "critical entities" with mandatory incident reporting within 24 hours.

The Federal Office for Information Security (BSI) also strengthened its KRITIS regulations in 2021, significantly increasing protection requirements. Internationally, the WHO responded in 2021 with guidelines for cyber resilience in healthcare, while the US Cybersecurity and Infrastructure Security Agency (CISA) launched their StopRansomware initiative.

The death of the 75-year-old woman became a symbol of cybercrime's real and deadly consequences. What was previously considered purely digital crime had now, for the first time, demonstrably cost a human life—a dark milestone that fundamentally changed the world's view of digital security in life-critical institutions.