Ransomware Attack: Ireland's Cleanup Costs Hit $48 MillionHealthcare Hit: $110 Million May Be Full Recovery Cost for Health Service Executive
What's the price of a ransomware attack that disrupts a nation's critical infrastructure?
Ireland's Health Service Executive tells Information Security Media Group that the cleanup cost of the Conti ransomware attack against it last May has so far hit $48 million. But it "forecasts that the overall cost could be in the region" of $110 million.
So far, the costs have included an additional $14 million spent on IT infrastructure, $6 million on cybersecurity and strategic support, $17 million on vendor support for applications and $9 million on Office 365, Irish broadcaster RTE reports.
Beyond the overall cost of cleanup, additional costs will be incurred as the HSE implements recommendations from PwC, also known as PricewaterhouseCoopers. The consultancy was brought in to investigate the incident and found the HSE had "a very low level of cybersecurity maturity," as judged against the U.S. National Institute of Standards and Technology's Cybersecurity Framework. Among other shortcomings, it found HSE had no CISO, few controls for blocking a human-operated ransomware attack, and poor patching, security monitoring and anti-malware defenses.
Once the cleanup is complete, the HSE aims to implement numerous recommendations put forth by PwC. "Our next step is to develop a multiyear implementation plan and a multiyear business case around the required investment overall," an HSE spokeswoman tells ISMG. "This will be brought forward to the Department of Health and ultimately to government."
From a spending standpoint, this year's HSE budget includes an additional $48 million for cybersecurity initiatives, beyond the $69 million budgeted this year for IT operating expenses - versus the $41 million that was budgeted for IT operations last year.
Peadar Tóibín, leader of the Aontú political party, has accused the government of leaving the health service unprepared to defend itself against ransomware attacks and called for an investigation into the attack, to be led by a judge, RTE reports.
Unfortunately, sophisticated criminals tend to focus on what gives them the maximum potential payoff for the least time, effort or risk. When it comes to the healthcare sector, ransomware-wielding attackers keep calling.
Indeed, as noted in PwC's 157-page report, released in December 2021, HSE's IT shortfalls were hardly unique, not least for healthcare sector entities.
Repeat Target: Healthcare
The HSE attack highlights a myth propagated by ransomware-wielding criminals: that they never target the healthcare sector.
Instead, groups that end up hitting a healthcare entity will sometimes, as an attempted face-saving exercise, give a decryptor to the victim without it having to pay a ransom.
This is what happened with the attack on HSE: Attackers triggered ransomware on May 14, and on May 20, sent the government a decryptor.
Unfortunately, once systems get infected, they must be wiped and restored. The scale of the attack against Ireland's HSE led to the government calling in the military to help with the recovery effort. Even so, appointments had to be canceled; blood tests couldn't be conducted or results received. Patient care was disrupted for months.
But the HSE disruption could have been worse, since the decryption key "allowed for an accelerated recovery process," PwC says in its report.
"It is unclear how much data would have been unrecoverable if a decryption key had not become available as the HSE's backup infrastructure was only periodically backed up to offline tape," PwC says. "Therefore, it is highly likely that segments of data for backup would have remained encrypted, resulting in significant data loss. It is also likely to have taken considerably longer to recover systems without the decryption key."
How does the attack against HSE compare to other such ransomware strikes?
Experts' view of ransomware remains incomplete. Sometimes a ransomware group posts a victim's identity, or begins leaking stolen information, on its dedicated data leak site. But many victims are driven to pay, not least to avoid the details of their security incident becoming public.
Cybersecurity firm Group-IB has estimated that for groups that run a data leak site, only 13% of victims ever end up getting listed there. In addition, it estimates that about 30% of victims end up paying a ransom.
Beyond data leak sites, attacks sometimes come to light if a victim informs regulators and they make it public. Or they might alert investors. The latter is required by the U.S. Securities and Exchange Commission for any public company that suffers a notable cybersecurity incident.
When ransomware attacks do come to light, inevitably they turn out to be extremely costly, regardless of whether an organization paid a ransom.
The healthcare sector also remains a top target. Another ransomware attack from May 2021, for example, involved San Diego health system Scripps Health. Both IT systems and patient care were disrupted for a month, leading to nearly $113 million in costs, including $91.6 million in lost revenue, according to a financial report filed by Scripps.
Another ransomware attack victim was Scotland's environmental watchdog, which got hit on Dec. 24, 2020. The Scottish Environment Protection Agency saw thousands of files get crypto-locked, and its cleanup continues, with costs hitting $1.1 million by April 2021. But the agency expects a full cleanup, including a complete overhaul of its IT infrastructure to help better defend against future cyberattacks, to take years.
So far, SEPA remains unable to detail the full financial impact of the attack and has already had to write off at least $2.7 million in fees, owing to its inability to access records, the BBC reports.