Irish health system fights off one ransomware attack, succumbs to another

By Robert Scammell

Investigators thwarted a second ransomware attack against the Irish health system after the Department of Health (DoH) deployed security tools blocking malware from encrypting its files.

The DoH said it has shut down its IT systems as a “precautionary measure” after cybercriminals infiltrated its network last week. The cyberattack is believed to be linked to the ransomware attack against Ireland’s public healthcare system, the Health Service Executive (HSE), which was forced to shut down computer systems last week.

Security teams detected “malicious cyber activity” on the DoH network early morning on Friday 14 May. However, a “combination of anti-virus software and the deployment of tools during the investigation process” prevented the ransomware from being deployed, according to Ireland’s National Cyber Security Centre (NCSC).

The same cybercriminal gang is believed to be behind both incidents and is suspected to be based in East Europe. The attack against HSE has prevented access to electronic health records, causing significant disruption to healthcare services and the cancellation of some hospital appointments. Covid testing and vaccines continue but face delays, HSE said.

“This attempted attack remains under investigation, however there are indications that this was a ransomware attack similar to that which has affected the HSE,” the Department of Health said in a statement on Sunday.

Ireland’s NCSC and third-party cybersecurity experts have been brought in to assist with the investigation and response.

The NCSC said in an advisory published Sunday that it had “observed a variant of Conti ransomware” in the attacks. Conti is a human-operated ransomware that is rented out to cybercriminals, with the malware owners taking a cut of earnings. Conti ransomware was first spotted in December 2019 and shares similar code to the infamous Ryuk ransomware. The ransomware-as-a-service gang selling Conti is believed to be based in Russia.

According to US security site Bleeping Computer, the ransomware gang behind the attacks has demanded a $20m payment from HSE to decrypt locked files and delete 700GB of stolen files. The unencrypted data is said to include patient information, financial statements and payroll information.

The ransomware note obtained by Bleeping Computer claims that the criminal enterprise infiltrated HSE’s network for two weeks prior to the attack.

“The good news is that we are businessmen,” the ransom note reads. “We want to receive ransom for everything that needs to be kept secret and don’t want to ruin your business.”

Taoiseach Micheál Martin, the Prime Minister of Ireland, said on Friday that HSE would not be paying the ransom or “engaging in any of that sort of stuff”.

Irish health system faces two ransomware attacks in one day

The NCSC first became aware of “potential suspicious activity” on DoH systems on the afternoon of Thursday 13 May. The following morning on 14 May it was notified of the successful ransomware attack against HSE. That same day cybercriminals attempted to deploy ransomware on the DoH network but were unsuccessful.

Preliminary NCSC investigations suggest that Cobalt Strike Beacon, a remote access penetration testing tool used by malicious hackers to move around compromised networks, was involved in the attacks.

In 2017 the WannaCry ransomware struck the NHS, leading to the mass cancellation of appointments and services.

The two cyberattacks against Ireland’s health service follow a ransomware attack that forced Colonial Pipeline to halt operations, causing fuel shortages along the US East Coast.

For more information on ransomware and what to do in the event of an attack, read our explainer here.