In search of patient 0

New threat scenarios, increasingly perfidious attack methods and highly professional, globally active perpetrators are becoming an ever-increasing problem in the digital space. Attacks on critical infrastructure in particular, such as hospitals, require immediate action.

In the last five years, the total number of cybercrime cases has almost doubled. During this period, the number of foreign attacks has more than tripled. Attacks from abroad are a particular challenge for the police, as they are regularly accompanied by high investigative hurdles, such as international requests for mutual legal assistance.

Crime no longer only takes place on the street or in physical spaces - many crimes have shifted to the digital space: organized crime, child abuse or politically motivated crimes. This not only requires investigators to have a high level of IT expertise, but also to be able to handle the huge amounts of data that need to be analyzed.

The perpetrators are becoming increasingly professional in their approach. Cybercrime-as-a-service, i.e. the possibility of obtaining cybercrime as a service, makes it possible for even technically inexperienced criminals to carry out attacks. Politically motivated cyber attacks, sometimes tolerated or supported by foreign states, also blur the boundaries between political orientation and economic enrichment.

Racing against time - protecting critical infrastructures

In this digital era, law enforcement agencies are faced with a constant race: they must develop and apply technologies that can keep pace with the rapid professionalization of the perpetrators.

"Every minute counts," says Dirk Sons, Head of AI Cybercrime in Düsseldorf. "In the first attack, it is important to find patient 0 - the first computer infected with a virus - in order to prevent further outages." The fight against the perpetrators and the software used begins.

In September 2020, Düsseldorf University Hospital was the target of a serious hacker attack. The hospital's IT systems were encrypted by ransomware, which led to massive restrictions. The emergency department had to be closed, resulting in the death of a patient. The Düsseldorf investigators contacted the hackers and warned them that human lives were in danger.

The incident clearly demonstrated the serious consequences that cyber attacks can have on critical infrastructure. The police reacted quickly at the time and managed the situation together with external IT specialists and authorities, reports Sons. Nevertheless, there was also room for improvement.

The police in North Rhine-Westphalia have been responding to the increase in digitalized crime since 2024 with six specialized "Cybercrime Criminal Investigation Units", which were formed in July. These units are based at the larger police headquarters and are intended to play a central role in the fight against cybercrime. The new inspections mean that competencies are now available that were previously only available at the State Office of Criminal Investigation or, in some cases, could not even be mapped within the police structure.

The criminal inspectorates bring together the various specialist skills under one roof and enable the police to react more quickly and independently to cyber attacks. They are designed to deal with complex cyber attacks more efficiently. Specialized teams that react immediately and take on all the necessary tasks themselves can respond to cyber attacks quickly and largely independently of external actors.

The "Digital Crime Scene" intervention teams, which recently began their work, are also part of the criminal investigation department. The teams are made up of IT specialists and secure crime scenes after cyber attacks.

In addition to the intervention teams, the new "Cybercrime Criminal Investigation Units" will bring together all other specialist services with their cybercrime expertise. The combined expertise, modern digital equipment and specialized units represent another important step in the fight against cyber criminals.

The teams consist of experts who contribute their knowledge in the areas of IT security, digital forensics and open source intelligence (OSINT). At the same time, the new structures ensure that the North Rhine-Westphalia police are able to adapt to the constantly changing digital landscape at all times. Dirk Sons makes it clear: "We want to win the race against time, successfully combat cybercrime and investigate perpetrators. Every minute gained that prevents further computers from being infected is a victory".