Late last week, Ireland’s Health Service Executive (HSE) was struck by ransomware, causing the company to shut down its IT infrastructure (which included over 80,000 computers) on Friday. Ossian Smyth, the Green Party’s State Minister for Communications, described the attack as “perhaps the most serious cybercrime attack on the Irish State.”
He stated that the ransom would not be charged, just as it became clear that the HSE was not the only priority. By Sunday, it had been revealed that the Department of Health had also been targeted by the same group. “I think we’re very clear we’re not going to pay any ransom or engage in any of that sort of stuff,” Prime Minister Micheal Martin said.
The assault on HSE has yet to be revealed in full. So far, all that is known is that the attack was carried out by the Conti gang (Conti was discovered in the summer of last year), that they requested a ransom of about $20 million, and that they used a zero-day threat.
The second recorded assault on the Irish Department of Health is unknown. The department, on the other hand, has shut down its systems and is trying to restore them. The attackers left a ‘digital message’ (presumably the ransom demand) that links the attack to Conti.
Conti encrypts files and steals information. If the ransom is not paid, the stolen data is released. According to the gang, they have stolen over 700GB of data.
The HSE’s COO, Anne O’Connor, said on Sunday that radiology facilities around the country had been impacted, and that the radiation oncology programme for cancer patients had been disrupted.
Conti’s data, on the other hand, is thought to be more likely to be personal than clinical.
Ms. O’Connor said that the HSE had clean backups from which it could restore its servers, but that this would take time.
Conti ransomware gang got files in HSE case like you can see on the screenshots, then got email exports between hospitals employees & patients, etc.
I have no idea how much closely related HBS to HSE, but they got files from there too.
Basically they have all kind of stuff…
— MalwareHunterTeam (@malwrhunterteam) May 17, 2021
“Conti ransomware gang got files in HSE case,” the MalwareHunterTeam tweeted today. Then there were email exports between hospital workers and patients, and so on… Basically, they have everything…”
People say bad things about DarkSide ransomware gang.
Now, not saying they are great people or something, but they are nowhere from Conti that is bragging about stealing patients’ personal data & etc, then acting as good “businessmen” & asking 19,999kk as “collateral”.
— MalwareHunterTeam (@malwrhunterteam) May 15, 2021
“People say bad stuff about the DarkSide ransomware gang,” they added in a separate tweet. Now, I’m not saying they’re decent people or something, but they’re a long way from Conti, who brags about stealing patients’ personal data and other information, then behaving like good ‘businessmen’ and demanding 19,999kk as ‘collateral.'”
The government is already urging the public to expect personal data to be released, given Conti’s credibility and Ireland’s public assurance that it will not pay a ransom. Although the HSE has not acknowledged the loss of personal data, Ossian Smyth believes it is inevitable. He told the Irish Times that accessing such patient files would be “the first thing [hackers] would do before attempting to encrypt data or erase backups,” and that such information was normally sold on and later released, either by the hackers or by others.
“It wouldn’t surprise me if it was written at some stage in the future,” he said.
Sophos released an overview of the Conti ransomware in February 2021. The ransomware is distributed as part of a series of Cobalt Strike/meterpreter payloads that use reflective DLL injection techniques to drive the malware directly into memory, according to the study.
“The attackers eradicate a critical Achilles’ heel that concerns most other ransomware families: there is no artefact of the ransomware left behind for even the most vigilant malware researcher to discover and analyse since the reflective loaders deliver the ransomware payload into memory, never writing the ransomware binary to the infected computer’s file system.”