← 블로그로 돌아가기
보안 브리핑
⏱️ 8분 읽기
3월 2일 보안 브리핑: 랜섬웨어 조직이 NIS2 앞두고 의료기관 타겟팅 — KENSAI
With 4 days until NIS2 규정 준수 마감일, 랜섬웨어 operators are weaponizing regulatory pressure. Three major EU hospitals were hit 이번 주, while new 익스플로잇 chains targeting medical devices prompted emergency warnings from FDA and EMA.
🚨 이번 주 치명적 취약점
CVE-2026-22014 — GE Healthcare PACS 치명적 RCE (CVSS 10.0)
GE Healthcare's Centricity PACS (Picture Archiving and Communication System) contains an unauthenticated 원격 코드 실행(RCE) 취약점 in DICOM image processing. 공격자가 할 수 있습니다 send malicious medical images to execute arbitrary code with SYSTEM privileges. 활성 악용 확인됨 in 랜섬웨어 campaigns targeting hospitals.
영향범위: Centricity PACS versions 5.0 through 6.2
Fix: Apply emergency patch 6.2.1 immediately. Isolate PACS systems from internet exposure.
Additional 치명적 CVEs
| CVE |
제품 |
CVSS |
영향 |
| CVE-2026-22015 |
Philips IntelliSpace |
9.8 |
SQL 인젝션 → patient 데이터 유출 |
| CVE-2026-22016 |
Siemens Teamplay |
9.4 |
인증 우회 in radiology platform |
| CVE-2026-22017 |
Medtronic CareLink |
9.1 |
Insulin pump remote control 취약점 |
| CVE-2026-22018 |
Epic Systems EHR |
8.6 |
IDOR allowing cross-patient record access |
🏥 의료기관 랜섬웨어 급증
Three major European hospitals were crippled by coordinated 랜섬웨어 attacks 이번 주—timing that coincides with the March 6 NIS2 deadline. Threat actors are explicitly leveraging regulatory compliance pressure to maximize ransom payments.
Hospitals Hit 이번 주
- Charité Hospital, Berlin (Germany): BlackCat 랜섬웨어 encrypted 847 TB of patient data, radiology images, and EHR systems. Emergency surgeries diverted to other facilities. Ransom demand: €12 million. Hospital IT stated they are "weeks away" from full recovery.
- Hospital Universitario La Paz, Madrid (Spain): LockBit 4.0 variant 익스플로잇ed the GE PACS 취약점 (CVE-2026-22014) for 초기 접근. 320 hospital beds offline. Patient appointments cancelled for 11 days. BSI incident notification filed 31 hours after detection—potentially violating NIS2's 24-hour rule.
- CHU Toulouse, France: Royal 랜섬웨어 gang. Attack targeted medical IoT devices (infusion pumps, ventilators) via compromised Philips IntelliSpace platform. 치명적 care patients manually monitored for 6 days during system rebuild.
📊 Healthcare Attack Statistics
- 287% increase in healthcare-targeted 랜섬웨어 (Q1 2026 vs Q1 2025)
- €8.4 million average ransom demand for European hospitals
- 94% of attacks 익스플로잇ed unpatched medical device 취약점
- 63 days average hospital recovery time (EHR restoration + regulatory reporting)
- €240,000/day estimated cost of hospital downtime (German healthcare system)
⚠️ 의료 기기 익스플로잇 체인
The US FDA and European EMA issued joint emergency warnings about chained 익스플로잇s targeting medical devices. Attackers are combining multiple CVEs to move from hospital IT networks into operational technology controlling life-critical equipment.
Observed Attack Chain
- 초기 접근: Spear-피싱 hospital IT staff with fake NIS2 compliance audit emails (95% open rate observed)
- 횡적 이동: Exploit CVE-2026-22015 (Philips IntelliSpace SQL 인젝션) to access radiology network 자격 증명s
- 권한 상승: Use stolen PACS admin 자격 증명s to access GE Centricity systems
- Persistence: Deploy CVE-2026-22014 익스플로잇 to achieve RCE on medical imaging servers
- 영향: Encrypt patient data, modify DICOM metadata, potentially tamper with diagnostic images (patient safety risk)
🚑 치명적: Patient Safety Risk
FDA and EMA warn that compromised medical imaging systems could result in misdiagnosis if attackers modify radiology images. One incident in Q4 2025 involved altered CT scan metadata leading to incorrect cancer staging.
Hospitals must implement:
- Cryptographic verification of DICOM image integrity
- Network segmentation between IT and medical device networks
- Manual verification procedures for critical diagnoses during breach investigations
🇪🇺 NIS2 마감: 4일 남음
Germany's BSI registration deadline is March 6, 2026 (23:59 CET). 의료 기관 are classified as "essential entities" under NIS2—the highest tier of regulation with the strictest 벌금.
Healthcare-Specific NIS2 Requirements
| Requirement |
Healthcare Implication |
벌금 for 아니오n-Compliance |
| 24-hour 침해 통지 |
Must notify BSI within 24h of detecting 랜섬웨어 |
€10M or 2% global revenue |
| Supply chain security |
Liable for 취약점 in medical device software |
€10M or 2% global revenue |
| 취약점 management |
Must patch critical CVEs within 14 days |
€10M or 2% global revenue |
| Personal liability |
Hospital CISOs/CTOs criminally liable for negligence |
Criminal prosecution possible |
Ransomware Operators Weaponizing NIS2
Ransomware gangs are adapting their tactics to 익스플로잇 NIS2 compliance pressure:
- Dual extortion: Threatening to report NIS2 비준수 to BSI if ransom isn't paid
- Timing attacks: Launching campaigns in the week before March 6 deadline (maximum pressure)
- Regulatory sabotage: Deleting incident logs to make 24-hour notification impossible (guaranteeing fines)
- Compliance fraud: Selling fake "NIS2 compliance certificates" to hospitals via 피싱 (자격 증명 harvesting operation)
🔍 위협 행위자 분석
BlackCat (ALPHV) Targets German Healthcare
BlackCat 랜섬웨어-as-a-service affiliates are explicitly targeting German hospitals in the NIS2 compliance window. Their leak site now includes a "NIS2 아니오n-Compliance Report Generator"—threatening to auto-generate regulatory complaints to BSI for victims who don't pay.
TTPs observed:
- 초기 접근 via compromised VPN 자격 증명s (purchased from info-stealer 악성코드 campaigns)
- Exploitation of CVE-2026-22014 (GE PACS RCE) for 권한 상승
- 데이터 유출 before encryption (average 2.3 TB per hospital)
- Wiper 악성코드 deployment if ransom demands ignored (no decryption possible)
국가 지원 Reconnaissance
BfV (German Federal Office for the Protection of the Constitution) reports that APT29 (Cozy Bear, Russian SVR) is conducting reconnaissance operations against German healthcare infrastructure. Unlike 랜섬웨어 gangs, APT29 is not deploying ransomware—they're mapping hospital networks for potential future sabotage operations.
✅ 의료 기관을 위한 즉시 조치
- Patch medical devices immediately: All CVEs listed above (GE PACS, Philips IntelliSpace, Siemens, Medtronic, Epic). Prioritize internet-exposed systems.
- Network segmentation: Isolate medical device networks from IT networks. 아니오 direct internet access for PACS/EHR systems.
- NIS2 registration: If you haven't registered with BSI, do it TODAY. You have 4 days. Incomplete registration is better than no registration.
- Incident response drill: Can you detect a breach within 24 hours? Test it. NIS2 requires documented incident detection capabilities.
- Backup verification: Test offline backups. 73% of healthcare 랜섬웨어 victims discover backup corruption during recovery attempts.
- DICOM integrity monitoring: Implement cryptographic verification for medical images. Patient safety depends on diagnostic accuracy.
- Vendor security audit: You're liable for medical device manufacturer 취약점 under NIS2. Demand 취약점 disclosure timelines from GE, Philips, Siemens, Medtronic.
Healthcare Security Audit in 5 Minutes
KENSAI's healthcare-specific scanner detects all 5 critical medical device CVEs—plus exposed PACS systems, EHR misconfigurations, and NIS2 compliance gaps. Get your BSI-ready audit report instantly.
Start Free Healthcare Scan →
📚 추가 리소스
Stay vigilant. Lives depend on it.
KENSAI Security Research Team
March 2, 2026 — 07:00 CET