Ireland’s Health Service Executive Held to Ransom by Conti Gang

Ireland’s Health Service Executive (HSE) was hit by a ransomware attack late last week, forcing the organization to shut down its IT system (reported as more than 80,000 computers) on Friday. Green Party Minister of State for Communications Ossian Smyth said the attack was “possibly the most significant cybercrime attack on the Irish State”.

He said the ransom would not be paid, just as it emerged that HSE may not have been the only target. By Sunday it was learned that the Department of Health had also been attacked by what was assumed to be the same gang. Prime Minister Micheal Martin said, “I think we’re very clear we’re not going to be paying any ransom or engaging in any of that sort of stuff, so we’re very clear on that.”

Details of the attack on HSE have not yet been disclosed. All that is thought so far is that the attack was by the Conti gang (Conti came to light in the summer of last year), that they demanded a ransom of around $20 million, and it is thought the attack involved the use of a zero day threat.

Little is known about the second reported attack on the Irish Department of Health. However, the department has shut down its systems and is working on recovery. A ‘digital note’ (presumably the ransom demand) was left by the attackers and ties the attack to Conti.

Conti locks files and steals data. If the ransom is not paid, it leaks the stolen data. The gang claims to have stolen over 700GB of data. 

Anne O’Connor, COO at the HSE, said on Sunday that radiology services had been affected across the country and that the radiation oncology system for patients with cancer has been compromised.

However, it is believed that any data stolen by Conti is more likely to be personal than clinical.

Ms O’Connor explained that the HSE had clean backups from which it could rebuild its servers, but that this would take time.

The MalwareHunterTeam tweeted today, “Conti ransomware gang got files in HSE case… then got email exports between hospitals employees & patients, etc… Basically they have all kind of stuff…” In a separate tweet, they commented, “People say bad things about DarkSide ransomware gang. Now, not saying they are great people or something, but they are nowhere from Conti that is bragging about stealing patients’ personal data & etc, then acting as good ‘businessmen’ & asking 19,999kk as ‘collateral’.”

With Conti’s reputation preceding them, and with Ireland’s public confirmation that it will pay no ransom, the government is already warning the public to expect personal data to be published. While HSE has not yet confirmed the loss of personal data, Ossian Smyth said it should be expected. He told the Irish Times, that accessing such patient files would be “the first thing [hackers] would do before trying to encrypt data or delete backups”, and that usually such information was sold on, and later released either by the hackers or other parties.

He added, “It wouldn’t surprise me if it was published at some point in the future.”

In February 2021, Sophos published an analysis of the Conti ransomware. It said the ransomware is delivered at the end of a series of Cobalt Strike/meterpreter payloads that use reflective DLL injection techniques to push the malware directly into memory. 

“Because the reflective loaders deliver the ransomware payload into memory, never writing the ransomware binary to the infected computer’s file system, the attackers eliminate a critical Achilles’ heel that affects most other ransomware families: There is no artifact of the ransomware left behind for even a diligent malware analyst to discover and study.”

Related: Large Florida School District Hit by Ransomware Attack

Related: Green Energy Company Volue Hit by Ransomware

Related: Industry Reactions to Ransomware Attack on Colonial Pipeline

Related: Ryuk Ransomware with Worm-Like Capabilities Spotted in the Wild