Ransomware Gang Provides Irish Health System With DecryptorConti Group Still Threatens Data Release Unless Ransom Paid
A week after Ireland's Health Service Executive, the nation's health services provider, was hit by a ransomware attack, the Conti gang has provided a decryptor, which officials are now testing to determine whether to use it, Reuters reports. But the ransomware gang is still threatening to release stolen data unless a $19 million ransom is paid.
Health Service Executive shut down all its IT systems serving hospitals on May 14 after the ransomware attack.
"The decryption key to unlock the data has now been made available," Stephen Donnelly, Ireland's health minister, said Thursday. "No ransom was paid by the Irish state."
But Brett Callow, threat analyst at security company Emsisoft, observes: "It rarely, if ever makes sense for organizations to use the tools provided by threat actors. The best case is that a tool will be slow and hard to use. The worst case is that it'll contain a backdoor or have bugs that causes it to trash data.”
Alan Woodward, a professor of computer science at the University of Surrey, sees the Conti group's release of a decryptor as a ploy.
"Giving the key is some attempt to obtain moral brownie points as they've been attacking a health service," says Alan Woodward, a professor of computer science at the University of Surrey, via Twitter. "They're playing games." (See: Ransomware Gangs 'Playing Games' With Victims and Public).
Ciaran Martin, Britain's former cybersecurity chief, says the attackers have been caught out. "Ransomware works best for the criminals when private companies pay in secret," Martin says via Twitter. "Attacking a state healthcare system in the full glare of publicity is not good 'business.'"
The ransomware attack was first spotted on the IT networks of a Dublin maternity hospital. HSE shut down all its IT systems serving healthcare facilities throughout Ireland to prevent the spread of the malware. This forced clinicians to use paper-based processes, Irish state broadcaster RTE reported.
Reuters reported the hackers compromised the system by exploiting a zero-day vulnerability. The systems shutdowns have led to delays in reporting laboratory results and difficulties making appointments at maternity and oncology departments throughout the country.
Irish Health Minister Stephen Donnelly told RTE that as of Thursday evening, imaging software for radiology and some patient administration systems were back up and running at some hospitals. But restoration of all IT for radiation and oncology departments continues and is an “absolute priority," he said.
An HSE doctor, who spoke under the condition of anonymity, tells security firm MalwareBytes the attack has affected the care of vulnerable patients.
On Monday, the MalwareHunterTeam. which has been tracking Conti gang's ransomware activities, tweeted several redacted images that it says revealed the hackers accessed HSE's communications between its employees and patients. The attackers also gained access to files belonging to Health Business Services, the business division of HSE, MalwareHunterTeam says.
But HSE says no patient data was compromised. Nonetheless, the Irish government on Thursday obtained a court order to block the illegal use of any stolen data.
The Decision Not to Pay
Earlier, several security researchers praised HSE’s decision to not pay any ransom.
"Paying a ransom finances and encourages further attacks - both against the ransom payer and against the wider community," said Thomas Naylor, who provides CIO consultancy services at enablement.tech in the U.K. "If a health authority pays a ransom, it encourages further focus by criminal groups on ransomware attacks against hospitals."
Brian Honan, cybersecurity and data protection expert at BH Consulting, says the Irish health system's "communications from the very beginning have been very on point transparent and open. They acknowledged they were victims of a ransomware attack at the very start, which ensured there was no speculation as to what was happening."
Conti debuted in May 2020, and was tied to numerous attacks, largely against targets in North America and Western Europe (see: Retailer Fat Face Pays $2 Million Ransom to Conti Gang ).
In March, British clothing and accessory retailer Fat Face paid a $2 million ransom to unlock its systems after Conti accessed several files containing sensitive data (see: Retailer Fat Face Pays $2 Million Ransom to Conti Gang ).
The group has also been tied to attacks in the healthcare sector (see: Patient Files Dumped on Darknet Site After Hacking Incidents).