On May 14th, Ireland’s Health Service Executive (HSE), the country’s publicly funded healthcare system, had to shut down all of its IT systems after suffering a ransomware attack.
The Conti ransomware gang, who was responsible for the incident, threatened to use all the data stolen from HSE during the attack if a ransom of $20 million won’t be paid. The Irish High Court quickly reacted to this situation and has issued an order to prevent the cybercriminals from selling, sharing, or publishing the stolen data with anyone.
In order to be able to understand the importance of the attack, we need to take a closer look at the Conti ransomware operation.
Conti is believed to be run by a Russia-based cybercrime group known as Wizard Spider, with the group using phishing attacks in order to install the TrickBot and BazarLoader trojans in order to obtain remote access to the infected machines.
With this method, the threat actors are able to spread laterally through a network whilst stealing credentials and harvesting unencrypted data stored on workstations and servers.
Once the hackers have stolen everything of value and gained access to Windows domain credentials, they will deploy the ransomware on the network and encrypt all of its devices. The ransomware gang will use the stolen data as leverage in order to force its victims into paying a ransom by threatening to release it on their ransom data leak site.
In the two-week span that Conti claims they’ve spent monitoring the HSE systems, they might have stolen various data that could be misused for different purposes, including:
- personal details of the patients (names, addresses, phone numbers, birth dates);
- personal employee data (contracts, addresses, scans of personal documents);
- payrolls;
- confidential documents;
- settlements with partners;
- contracts;
- financial statements;
- customer bases;
- banking information, and other possibly sensitive data.
A week after the attack, Conti has provided the HSE with a free decryption tool. Researchers have tested it out, and with the available ransomware samples, have reported that the tool can decrypt files that were encrypted during this attack.
Heimdal™ Ransomware Encryption Protection
- Blocks any unauthorized encryption attempts;
- Detects ransomware regardless of signature;
- Universal compatibility with any cybersecurity solution;
- Full audit trail with stunning graphics;
Although the HSE can now recover its encrypted files for free, the release of the alleged 700 GB of stolen data is likely imminent since the criminals are still demanding a payment of $19,999,999.
The Irish High Court injunction commands to return the stolen data and urges the ransomware gang to give up their names, emails, and whereabouts.