Authorities Target Health Sector Ransom Gang’s IT Infrastructure
The Irish law enforcement body, the Garda National Cyber Crime Bureau, has conducted a “significant disruption operation,” targeting the IT infrastructure of a cybercrime group and seizing several domains used in a May ransomware attack against Ireland’s state health services provider Health Service Executive and others, a GNCCB spokesperson tells Information Security Media Group.
See Also: Automating Security Operations
While the GNCCB did not mention the identity of the cybercriminals, HSE had said in May that Conti ransomware was used in the attack.
The operation has “directly prevented” other ransomware attacks around the globe, a Garda spokesperson tells ISMG.
The GNCCB says it has deployed a “splash screen” on the seized domains to notify potential victims that their system may have been compromised by ransomware.
The Garda’s “crime prevention operation” is likely to have prevented any ransomware attack on the connecting ICT system by rendering the malware initially deployed on the victims’ systems ineffective, a spokesperson says. A total of 753 attempts were made by ICT systems across the world to connect to the seized domains, according to a Garda press note.
Additionally, the GNCCB says it shares with the Garda Síochána (Irish National Police Force), Europol and Interpol relevant details to ensure that infected systems across member countries are “appropriately decontaminated”.
Some 95% of HSE services, including servers and devices disrupted during the May ransomware attack, have been fully restored, according to local newspaper the Irish Examiner.
“Most of our priority systems are back online on local sites, including radiology and diagnostic systems; maternity and infant care; patient administration systems; chemotherapy; radiation oncology; radiotherapy and laboratories,” the newspaper reports, citing an HSE spokesperson.
Only “10 site-specific instances of systems remain to be brought back online,” the report says. Although the HSE staff can now access their email accounts, restoration of historical emails is still work in progress, it adds.
Ransomware Attack on the HSE
Ireland’s HSE was alerted about a cyberattack in the early hours of May 14, 2021, when malicious malware was first spotted on the IT network of its Dublin-based Rotunda maternity hospital. This forced HSE to take its entire IT infrastructure offline as it uses a common system for registering its patients, Fergal Malone, master professor of the Rotunda maternity hospital, told state broadcaster RTE at the time.
Paul Reid, CEO of HSE, later confirmed that the shutdown was a preventive measure following a “significant ransomware attack,” that caused widespread disruption to the HSE’s systems. Citing the National Cyber Security Agency, RTE added that an East European cybercriminal gang, Wizard Spider, that uses Conti ransomware was behind the HSE cyberattack.
The attackers claimed to have stolen 700 GB of personal data of patients from HSE, including personal documents, phone numbers, contacts, payroll and bank statements, and were then asking for a $20 million payout (see: Irish Healthcare Sector Was Hit by 2 Ransomware Attacks). It was also suggested in the report that it was not just one but two ransomware attacks that took place at nearly the same time. Apart from HSE, Ireland’s Department of Health was also targeted but the attack “wasn’t as extensive,” Irish minister for communications Eamon Ryan told RTE.
Irish Prime Minister Micheál Martin refused to pay a ransom and told national media that the government was not communicating with the attackers.
However, a week later, the alleged attackers provided a decryption key to HSE, on the condition that it pay $19 million in ransom or has its patient data made public.
Stephen Donnelly, Ireland’s health minister clarified that “[although] the decryption key to unlock the data has now been made available, no ransom was paid by the Irish state.”
In June 2021, HSE CEO Reid told legislative body Oireachtas that the recovery costs of the ransomware attack were likely to be about $600 million. (see: Irish Ransomware Attack Recovery Cost Estimate: $600 Million)
Affiliates of the Conti operation are reported to have been behind a significant number of recent attacks, as has its LockBit 2.0 operation (see: Conti Ransomware Threat Rising as Group Gains Affiliates).