Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service
Irish Police 'Significantly Disrupt' Attackers' Operations
Conti Ransomware Attackers' Infrastructure Targeted After Health Service DisruptionIreland's cybercrime police, the Garda National Cyber Crime Bureau, have conducted a "significant disruption operation" targeting the IT infrastructure of a cybercrime group. As part of the operation, police seized several domains used in a May ransomware attack against Ireland's national health services provider Health Service Executive, a spokesperson tells Information Security Media Group.
See Also: The Expert Guide to Mitigating Ransomware & Extortion Attacks
While the GNCCB did not detail the identity of the cybercriminals, HSE had said in May that Conti ransomware was used in the attack.
The operation has "directly prevented" other ransomware attacks around the globe, the Garda spokesperson tells ISMG.
The GNCCB says it has left a splash screen on the seized domains to notify potential victims that their system may have been compromised by ransomware.
The Garda's "crime prevention operation" is likely to have prevented any attempted ransomware attacks relying on that infrastructure, because the malware would fail to connect to the attackers' servers to download necessary code, the spokesperson says. Since the servers have been seized, 753 attempts have made by IT systems across the world to connect to the seized domains, apparently by infected systems seeking to download crypto-locking code, according to a Garda press release.
The GNCCB says it has shared with the Garda Síochána, which is Ireland's National Police Force, as well as with Europol and Interpol, relevant details to ensure that infected systems in member countries are "appropriately decontaminated".
Systems Largely Restored
Nearly four months after being hit, about 95% of HSE services, including servers and devices, have been fully restored, the Irish Examiner reports.
"Most of our priority systems are back online on local sites, including radiology and diagnostic systems; maternity and infant care; patient administration systems; chemotherapy; radiation oncology; radiotherapy and laboratories," an HSE spokesman tells the newspaper.
Only "10 site-specific instances of systems remain to be brought back online," the report says. Although HSE staff can now access their email accounts, they continue to lack access to older emails, it says.
Ransomware Attack on HSE
Ireland's HSE was first alerted to the cyberattack in the early hours of May 14, when malicious malware was first spotted on the IT network of its Dublin-based Rotunda Hospital, which provides maternity services. This forced HSE to take its entire IT infrastructure offline as it uses a common system for registering all patients, Fergal Malone, master professor of the Rotunda Hospital, told state broadcaster RTE at the time.
Paul Reid, CEO of HSE, later confirmed that the shutdown was a preventive measure following a "significant ransomware attack," that caused widespread disruption to the HSE's systems. Ireland's National Cyber Security Agency says an East European cybercrime gang - referred to as Wizard Spider by security researchers - that wields Conti ransomware was behind the HSE cyberattack, RTE reports.
The attackers claimed to have stolen 700 GB of personal data of patients from HSE, including personal documents, phone numbers, contacts, payroll and bank statements, and were then asking for a $20 million payout (see: Irish Healthcare Sector Was Hit by 2 Ransomware Attacks). Some reports also suggested that HSE was hit by not just one but two separate ransomware attacks that took place at nearly the same time. Apart from HSE, Ireland's Department of Health was also targeted but the attack "wasn't as extensive," Irish Minister for Communications Eamon Ryan told RTE.
Conti's Decryptor
But Irish Prime Minister Micheál Martin refused to pay any ransom, telling national media that the government was not communicating with the attackers.
However, a week later, the alleged attackers provided a decryption key to HSE, on the condition that it pay $19 million in ransom or have its patient data made public.
Stephen Donnelly, Ireland's health minister, clarified that "[although] the decryption key to unlock the data has now been made available, no ransom was paid by the Irish state."
In June 2021, HSE CEO Reid told legislative body Oireachtas that the recovery costs of the ransomware attack were likely to be about $600 million (see: Irish Ransomware Attack Recovery Cost Estimate: $600 Million).
Affiliates of the Conti operation have reportedly been behind a significant number of recent attacks, as has the LockBit 2.0 operation (see: Conti Ransomware Threat Rising as Group Gains Affiliates).