Conti ransomware syndicate behind attack on Irish health service

The devastating ransomware attack on the Irish Health Service Executive (HSE), was the work of the Conti ransomware gang, also known as Wizard Spider, according to reports.

The Irish National Cyber Security Centre (NCSC), which is leading on triage and investigation, said it had activated its incident response procedures and was providing ongoing support to the HSE. It said that it had also detected suspicious activity on the network of the Department of Health (DoH) but that it had been able to stop this attack before the ransomware executed. It believes the attempted attack was part of the same campaign.

“There are serious impacts to health operations and some non-emergency procedures are being postponed as hospitals implement their business continuity plans,” the NCSC said in a statement.

More details of the incident began to emerge over the weekend of 15 and 16 May 2021, as hospitals around the country reported disruption to patient services on a massive scale, after news broke of the initial attack on the morning of Friday 14 May. A full breakdown of current disruptions can be found here, note Ireland’s Covid-19 vaccination programme is proceeding as normal.

A purported screenshot of the ransom note received by the HSE – which was published by Bleeping Computer – suggests that the Conti crime gang (which turned over UK retailer FatFace earlier this year) accessed HSE’s networks at the end of April.

The note said the gang had encrypted file servers and SQL servers, and downloaded over 700GB of personally identifiable information (PII) including, among other things, the addresses and phone numbers of patients, doctors and nurses, payroll information and employment contracts. The gang is supposedly demanding a ransom of $19,999,000.

The Conti ransomware first emerged about 12 months ago and shares similarities with other ransomware families which have been used extensively against healthcare organisations, such as Ryuk – indeed, Cybereason research highlights a clear link between Ryuk and Conti, Wizard Spider having enthusiastically switched from Ryuk to Conti as its ransomware of choice.

As is now almost standard practice, the gang runs double extortion tactics, naming and shaming its victims and leaking their data on the dark web if they don’t play ball.

Peter Mackenzie, manager of Sophos’s Rapid Response team, said: “Sophos Rapid Response has been involved in 10 Conti ransomware incidents so far and from our investigations it is clear that Conti ransomware has undergone rapid development in the last 12 months.

“Conti is a human-led ‘hands-on-keyboard’ ransomware that encrypts data and spreads across a target system at high speed. It is also what is known as a ‘double extortion’ ransomware that steals and threatens to expose information as well as encrypting it. The Conti News site has published data stolen from at least 180 victims so far. 

“Sadly, the healthcare sector is a prime target for adversaries because reliability of services and care can, quite literally, be a matter of life or death. The sector also holds vast amounts of personal, confidential and highly sensitive information,” said Mackenzie.

Sophos’ most recent State of Ransomware report found that 34% of healthcare organisations had experienced some form of ransomware attack since the beginning of the Covid-19 pandemic, and that one in three of those had paid a ransom. Of those that were not hit, 41% were resigned to it being “only a matter of time” before they were, and 55% believed ransomware attacks were now too sophisticated to stop.

“Adversaries targeting healthcare know they are hitting where it hurts, hoping for a large payout as their victims want to prioritise patient privacy and care,” said Mackenzie.