Conti ransomware gang also breached Ireland Department of Health (DoH)

May 19, 2021  By Pierluigi Paganini


Conti ransomware also breached the network of Ireland’s Department of Health (DoH) but the ransomware failed to encrypt the systems.

Last week, Conti ransomware gang targeted the Ireland’s Health Service Executive that was forced to shut down its IT systems on Friday after being targeted with a significant ransomware attack. The Health Service Executive opted to shut down its infrastructure as a precaution to avoid the threat from spreading.

Researchers from BleepingComputer revealed that the Conti ransomware gang demanded a $20 million ransom.

In a separate attack, the ransomware gang also breached the network of the country’s Department of Health (DoH) but failed to encrypt the systems of the organization. The DoH shut down its networks to avoid the threat from spreading, at the time the operations have yet to be fully restored.

Once compromised the network, the Conti ransomware gang dropped Cobalt Strike beacons to spread their ransomware.

“The National Cyber Security Centre (NCSC) became aware on Thursday of an attempted cyber attack on the Department of Health. The Department of Health has implemented its response plan including the suspension some functions of its IT system as a precautionary measure. This attempted attack remains under investigation, however, there are indications that this was a ransomware attack similar to that which has affected the HSE.” reads an update published by the Irish Department of the Environment, Climate and Communications.

“As the investigations into both incidents are ongoing, it is not possible to make further comment on the nature of these attacks at this time.”

The National Cyber Security Centre (NCSC) also published an alert titled “Ransomware Attack on Health Sector” that included technical details on the attack. Government experts speculate the two attacks are part of the same campaign targeting the Irish health sector.

“On 14/05/21 the Health Service Executive (HSE) was impacted by a Ransomware attack which has affected multiple services on their network. The NCSC along with the HSE and partners are currently investigating this incident and an Incident Response process is ongoing.” reads the alert. “Malicious cyber activity was also detected on the Department of Health (DoH) network early on Friday morning (14th May 2021), however due to the deployment of tools during the investigation process an attempt to execute ransomware was detected and stopped. These attacks are believed to be part of the same campaign targeting the Irish health sector”

The NCSC also provided indicators of compromise (IoCs) associated with the attacks.

Preliminary investigations conducted by the government experts revealed that the suspected presence of Cobalt Strike Beacon that was used by threat actors to gain remote access to the compromised systems and perform lateral movements within the target network.

At approx 07:00 hrs on 14th May the NCSC was made aware that a Conti ransomware attack that had severely disabled a number of systems, the IT staff shutdown the majority of other HSE systems.

Early Friday morning (14th May 2021) experts detected malicious activity also on the DoH network, but the attack was neutralized by defense software that detect the attempt of deploying hacking tools and the execution of the ransomware.

The malware involved in the attack is Conti Ransomware v3 (32 bit), which attempted to encrypt all files with the exception of the following file names:
– CONTI_LOG.txt
– readme.txt
– *.FEEDC (extension added by Conti Ransomware to filenames of encrypted files)
– *.msi
– *.sys
– *.lnk
– *.dll
– *.exe

Conti ransomware operators run a private Ransomware-as-a-Service (RaaS), the malware appeared in the threat landscape at the end of December 2019 and was distributed through TrickBot infections. Experts speculate the operators are members of a Russia-based cybercrime group known as Wizard Spider.

Since August 2020, the group has launched its leak site to threaten its victim to release the stolen data.

The list of victims of the group includes IoT chip maker Advantech, and Broward County Public Schools (BCPS).

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Department of Health)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

DarkSide ransomware made $90 million since October 2020

 Researchers from blockchain analysis firm Elliptic estimated that Darkside ransomware gang has made over $90 million from...