HSE ransomware crooks: Hand over $20m in bitcoin or we publish all Irish private medical data

By Robert Scammell

Cybercriminals have leaked samples of patient data stolen in the Irish HSE (Health Service Executive) ransomware attack and are threatening to publish the full tranche of records on Monday unless they receive a $20m payment in bitcoin.

The threat comes as the Irish health system continues to grapple with major disruption to its IT network that has led to cancelled hospital appointments. HSE’s payroll system remains down due to the ransomware and yesterday officials warned that its 146,000 staff might not receive the correct amount of salary. The attack also disrupted online registration for Covid-19 vaccines but that system now up and running.

Files posted on the dark web, seen by the Financial Times, were shared by the group claiming responsibility for the attack as proof that they have the data. Ireland’s Health Minister Stephen Donnelly confirmed that some stolen HSE records were leaked online by the ransomware gang.

The “ContiLocker Team” claims to have stolen 700 gigabytes of patient data, financial statements and payroll information from HSE. It is threatening to publish this data on Monday unless it receives a $19.99m ransom payment, the FT said.

Irish communication minister Eamon Ryan described the reporting on the leaked sample files as “credible and accurate”.

The leaked sample data, which consisted of 27 files on 12 individuals, piles further pressure on the already overwhelmed Irish health system. Leaking stolen files is a common tactic employed by ransomware gangs if payment is not forthcoming at once.

“Ransomware attacks are profit-led and if the initial effort to extort money fails, the people behind the attacks must show their hand in a second attempt to making money,” said Jake Moore, cybersecurity specialist at internet security company ESET.

“This almost always begins with an initial small amount of data to prove they have what they say and warn the victim that they mean business.”

A ransom note seen by Bleeping Computer claims the cybercriminals infiltrated HSE’s network two weeks prior to dropping the ransomware payload on 14 May.

“The good news is that we are businessmen,” the ransom note reads. “We want to receive ransom for everything that needs to be kept secret and don’t want to ruin your business.”

Officials, including Taoiseach Micheál Martin, the Prime Minister of Ireland, have said they will not pay the ransom demand or negotiate with the criminal hackers.

The priority for HSE is to restore diagnostic services such as X-rays. Verdict has asked HSE whether staff were paid the correct amounts today, but did not receive a reply at the time of publication.

A doctor who wished to remain anonymous told cybersecurity company Malwarebytes that they are having to tell patients “sorry I can’t operate on you”.

The doctor added: “I think they will pay the ransom. I don’t think there is another way around it. The pressure will build up, they will have to do what has to be done. This can’t go on. This is disastrous.”

Conti ransomware used in HSE strike

Ireland’s National Cyber Security Centre said in an advisory published Sunday that it had “observed a variant of Conti ransomware” in the attacks.

Conti is human-operated ransomware that is rented out to cybercriminals, with the malware owners taking a cut of earnings. Conti ransomware was first spotted in December 2019 and shares similar code to the infamous Ryuk ransomware. The ransomware-as-a-service gang selling Conti is believed to be based in Russia.

Ray Walsh, digital privacy expert at ProPrivacy, described the leaking of patient data as the “worst-case scenario”.

He added: “Whenever hackers lock up a system with ransomware, it is possible that they will also steal the data, which is why it must be treated as a full data breach in addition to a ransomware attack.”

The Conti gang also infiltrated the computer network of the Irish Department of Health, but their attempts to infect it with malware were thwarted by security tools, the NCSC said.

In 2017 the WannaCry ransomware affected 200,000 computers worldwide, including those at 81 NHS trusts causing the mass cancellation of appointments and services.

This week’s cyberattacks against Ireland’s health service follow a ransomware attack that forced Colonial Pipeline to halt operations, causing fuel shortages along the US East Coast.

For more information on ransomware and what to do in the event of an attack, read our explainer here.