Ransomware Attack on Irish Healthcare System

The country’s health care system was said to be compromised by a widespread ransomware attack reported by an Irish news outlet that said that the government would have to spend more than $48 million to recover from the attack.

The Conti attack happened on Ireland’s hospitals in May of 2021, which caused disruptions all over the country. Ransom of nearly $20 million was asked to be given, but the government refused to pay the ransom. Due to the attack, various medical services were shut down, and appointments were cancelled. The strike also shut down the Covid-19 portal. As a result, the country focused on bringing back its IT healthcare system for many weeks. Many emergency services still operated, but delays in radiology appointments, Covid-19 results, and birth and death certificates were also observed. There were nearly 40 affected hospitals, and below are some of them.

A Healthcare Executive said in December of 2021 that up to 4 months would be needed to recover all the stolen data. The recovered data was given to The Garda National Cyber Crime Bureau on 17 December 2021 by the US Department of Justice by a mutual legal assistance treaty. The stolen data included personal, medical, healthcare, and other commercial and personal administrative information.

Ireland’s Response

The country’s healthcare system worked with international and national defence groups like The National Cybersecurity Centre, Grada Siochana, Irish Defence Force, Interpol, and Europol. Ossian Smith, the Minister of State for Public Procurement and eGovernment, said that the attack was international and probably the most significant cyberattack on the Irish state. Various news outlets had multiple views on the attack, of which Bleeping Computer said that a ransom of $20 million was asked for decrypting the data and not to publish the data. In contrast, Business Post said that a ransom of 3 bitcoin or $150,000 was asked. In addition, American firms like McAfee and FireEye were asked to monitor the dark web for any leaked data.

Minister of Communication Eamon Ryan said on 20 May that a helpline was set up to assist individuals whose health information was published, and social media companies were told not to publish any information regarding the attack. In addition, a High Court order was passed to prohibit sharing of information. On the same day, it was reported that an organized cyber group had a decryption key that could help the healthcare system to recover their IT systems and the files. On 27 March, Chief Executive of HSE Paul Reid said the cost of the IT system recovery could be over 100 million euros. By September of 2021, over 95% of the server and the devices were recovered.

What is Conti Ransomware?

Conti is ransomware developed by criminal organizations to conduct cyber-attacks against various industry sectors and organizations worldwide. It is a hazardous attack due to its encryption speed and rate of infecting multiple systems. This cyber-crime is thought to be conducted by a group, which goes by the name of Wizard Spider, and it has believed to be a Russian group based in Saint Petersburg.

How does Conti Ransomware work

A phishing attack is used to install computer malware onto the victim’s system to obtain remote access to the infected machine. The email comes from a trusted source containing an ill-natured document. The document can be from a Google Drive, and once the victim downloads the file, which has a malicious payload, it creates a backdoor that connects the victim’s system to the Conti’s command and control server. Conti encrypts data and performs a two-step extortion scheme once a backdoor is created.

A new ransomware technique Double Extortion, also known as pay-now-or-get-breached, is often used. It works by exfiltrating a large quantity of data and encrypting them. Once the encryption is done, attackers threaten the victim to make data publicly unless the ransom is paid. The scheme works with a demanded ransom in return for the decryption key and is followed by an extortion mechanism. A small amount of data is exposed with the threat of releasing more data if the ransom is not paid.

What can be done to protect your endpoints from Conti Ransomware?

• Update your system as soon as the manufacturers release any updates.
• Update the passwords of your devices and the accounts.
• Employee education is a must as they must use multi-factor authentication and a different password for every account.
• Ensure that the ports not used for remote desktop/access are deactivated.
• Avoid suspicious emails/messages as they might be malicious and perform any cyberattack once opened or downloaded.