Ireland’s Health Service Executive that was forced to shut down its IT systems on Friday after being targeted with a significant ransomware attack. The Health Service Executive opted to shut down its infrastructure as a precaution to avoid the threat from spreading.
The authorities launched an investigation into the incident that began at around 4.30am on Friday, the government experts are working to determine the extent of the security breach.
The incident caused cancellations and disruption to services at multiple hospitals in the country, fortunately the ongoing coronavirus vaccination campaign was not affected.
“There is a significant ransomware attack on the HSE IT systems. We have taken the precaution of shutting down all our our IT systems in order to protect them from this attack and to allow us fully assess the situation with our own security partners.” reads a statement published by the HSE.” Vaccination appointments are going ahead as normal.”
“We’ve taken a precautionary measure to shut down a lot of our major systems to protect them,” chief executive Paul Reid told broadcaster RTE. “We are at the very early stages of fully understanding the threats, the impact and trying to contain it.”
Now new details about the attack were reported by the media, the HSE shut down all of their IT systems due to a Conti ransomware attack.
Researchers from BleepingComputer revealed that the Conti ransomware gang demanded a $20 million ransom.
“Yesterday, a cybersecurity researcher shared a screenshot of a chat between Conti and Ireland’s HSE with BleepingComputer.” reported BleepingComputer. “Conti further stated that they would provide a decryptor and delete the stolen data if a ransom of $19,999,000 is paid to the threat actors.”
The Conti ransomware gang claims to have stolen 700 GB of sensitive data from the HSE over two weeks. Stolen info includes patient documents, contracts, financial statements, and payroll.
Taoiseach Micheál Martin, the Prime Minister of Ireland, confirmed in a press release that they will not pay ransom.
Conti ransomware operators run a private Ransomware-as-a-Service (RaaS), the malware appeared in the threat landscape at the end of December 2019 and was distributed through TrickBot infections. Experts speculate the operators are members of a Russia-based cybercrime group known as Wizard Spider.
Since August 2020, the group has launched its leak site to threaten its victim to release the stolen data.
(SecurityAffairs – hacking, Health Service Executive)