Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Ireland’s Health Service Executive Held to Ransom by Conti Gang

Ireland’s Health Service Executive (HSE) was hit by a ransomware attack late last week, forcing the organization to shut down its IT system (reported as more than 80,000 computers) on Friday. Green Party Minister of State for Communications Ossian Smyth said the attack was “possibly the most significant cybercrime attack on the Irish State”.

Ireland’s Health Service Executive (HSE) was hit by a ransomware attack late last week, forcing the organization to shut down its IT system (reported as more than 80,000 computers) on Friday. Green Party Minister of State for Communications Ossian Smyth said the attack was “possibly the most significant cybercrime attack on the Irish State”.

He said the ransom would not be paid, just as it emerged that HSE may not have been the only target. By Sunday it was learned that the Department of Health had also been attacked by what was assumed to be the same gang. Prime Minister Micheal Martin said, “I think we’re very clear we’re not going to be paying any ransom or engaging in any of that sort of stuff, so we’re very clear on that.”

Details of the attack on HSE have not yet been disclosed. All that is thought so far is that the attack was by the Conti gang (Conti came to light in the summer of last year), that they demanded a ransom of around $20 million, and it is thought the attack involved the use of a zero day threat.

Little is known about the second reported attack on the Irish Department of Health. However, the department has shut down its systems and is working on recovery. A ‘digital note’ (presumably the ransom demand) was left by the attackers and ties the attack to Conti.

Conti locks files and steals data. If the ransom is not paid, it leaks the stolen data. The gang claims to have stolen over 700GB of data. 

Anne O’Connor, COO at the HSE, said on Sunday that radiology services had been affected across the country and that the radiation oncology system for patients with cancer has been compromised.

However, it is believed that any data stolen by Conti is more likely to be personal than clinical.

Ms O’Connor explained that the HSE had clean backups from which it could rebuild its servers, but that this would take time.

Advertisement. Scroll to continue reading.

The MalwareHunterTeam tweeted today, “Conti ransomware gang got files in HSE case… then got email exports between hospitals employees & patients, etc… Basically they have all kind of stuff…” In a separate tweet, they commented, “People say bad things about DarkSide ransomware gang. Now, not saying they are great people or something, but they are nowhere from Conti that is bragging about stealing patients’ personal data & etc, then acting as good ‘businessmen’ & asking 19,999kk as ‘collateral’.”

With Conti’s reputation preceding them, and with Ireland’s public confirmation that it will pay no ransom, the government is already warning the public to expect personal data to be published. While HSE has not yet confirmed the loss of personal data, Ossian Smyth said it should be expected. He told the Irish Times, that accessing such patient files would be “the first thing [hackers] would do before trying to encrypt data or delete backups”, and that usually such information was sold on, and later released either by the hackers or other parties.

He added, “It wouldn’t surprise me if it was published at some point in the future.”

In February 2021, Sophos published an analysis of the Conti ransomware. It said the ransomware is delivered at the end of a series of Cobalt Strike/meterpreter payloads that use reflective DLL injection techniques to push the malware directly into memory. 

“Because the reflective loaders deliver the ransomware payload into memory, never writing the ransomware binary to the infected computer’s file system, the attackers eliminate a critical Achilles’ heel that affects most other ransomware families: There is no artifact of the ransomware left behind for even a diligent malware analyst to discover and study.”

Related: Large Florida School District Hit by Ransomware Attack

Related: Green Energy Company Volue Hit by Ransomware

Related: Industry Reactions to Ransomware Attack on Colonial Pipeline

Related: Ryuk Ransomware with Worm-Like Capabilities Spotted in the Wild

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.