Ireland’s Health Service Executive Hit by a Ransomware Attack


Late last week, Ireland’s Health Service Executive (HSE) was struck by ransomware, causing the company to shut down its IT infrastructure (which included over 80,000 computers) on Friday. Ossian Smyth, the Green Party’s State Minister for Communications, described the attack as “perhaps the most serious cybercrime attack on the Irish State.”

He stated that the ransom would not be charged, just as it became clear that the HSE was not the only priority. By Sunday, it had been revealed that the Department of Health had also been targeted by the same group. “I think we’re very clear we’re not going to pay any ransom or engage in any of that sort of stuff,” Prime Minister Micheal Martin said.

The assault on HSE has yet to be revealed in full. So far, all that is known is that the attack was carried out by the Conti gang (Conti was discovered in the summer of last year), that they requested a ransom of about $20 million, and that they used a zero-day threat.

The second recorded assault on the Irish Department of Health is unknown. The department, on the other hand, has shut down its systems and is trying to restore them. The attackers left a ‘digital message’ (presumably the ransom demand) that links the attack to Conti.

Conti encrypts files and steals information. If the ransom is not paid, the stolen data is released. According to the gang, they have stolen over 700GB of data.

The HSE’s COO, Anne O’Connor, said on Sunday that radiology facilities around the country had been impacted, and that the radiation oncology programme for cancer patients had been disrupted.

Conti’s data, on the other hand, is thought to be more likely to be personal than clinical.

Ms. O’Connor said that the HSE had clean backups from which it could restore its servers, but that this would take time.

“Conti ransomware gang got files in HSE case,” the MalwareHunterTeam tweeted today. Then there were email exports between hospital workers and patients, and so on… Basically, they have everything…”

“People say bad stuff about the DarkSide ransomware gang,” they added in a separate tweet. Now, I’m not saying they’re decent people or something, but they’re a long way from Conti, who brags about stealing patients’ personal data and other information, then behaving like good ‘businessmen’ and demanding 19,999kk as ‘collateral.'”

The government is already urging the public to expect personal data to be released, given Conti’s credibility and Ireland’s public assurance that it will not pay a ransom. Although the HSE has not acknowledged the loss of personal data, Ossian Smyth believes it is inevitable. He told the Irish Times that accessing such patient files would be “the first thing [hackers] would do before attempting to encrypt data or erase backups,” and that such information was normally sold on and later released, either by the hackers or by others.

“It wouldn’t surprise me if it was written at some stage in the future,” he said.

Sophos released an overview of the Conti ransomware in February 2021. The ransomware is distributed as part of a series of Cobalt Strike/meterpreter payloads that use reflective DLL injection techniques to drive the malware directly into memory, according to the study.

“The attackers eradicate a critical Achilles’ heel that concerns most other ransomware families: there is no artefact of the ransomware left behind for even the most vigilant malware researcher to discover and analyse since the reflective loaders deliver the ransomware payload into memory, never writing the ransomware binary to the infected computer’s file system.”

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.