The Colonial Pipeline Incident rocked the InfoSec community and much of the eastern seaboard of the US. The ramifications of the event are likely to mold the US’s strategy in combating cybercrime and ransomware for the foreseeable future. While that incident was unfolding and still being covered by many publications the Irish Healthcare system also experienced a ransomware attack. Two attacks to be more exact.
The attacks resulted in the shutdown of the healthcare system last Thursday. The ransomware gang responsible was the group behind the Conti ransomware strain. The attack impacted both the Department of Health and the Health Service Executive. Health Service Executive Anne O'Connor confirmed that Conti was the offending party when speaking to The Journal. As a result of the attacks it was reported that dozens of outpatient services were canceled, a vaccine portal for Covid-19 was shut down and the country has spent days trying to bring its healthcare IT system back online. This led several prominent Irish politicians to issue statements including, Irish Foreign Minister Simon Coveney who referred to the attack as a “very serious attack.” Irish Minister of State Ossian Smyth said it was “possibly the most significant cybercrime attack on the Irish State.”
In response to the attack, the government had brought in the assistance of Europol.
Further, in issuing a statement to the public said,
“The government is adopting a determined and methodical approach to resolving the impact of this attack. All necessary resources and personnel are engaged in support of the HSE. The response to the attack is being led by the National Cyber Security Centre, working in very close collaboration with the HSE, the government’s Chief Information Officer and a specialist cyber security contractor. In addition, a number of private sector cyber security experts have volunteered their support in recent days…These ransomware attacks are despicable crimes, most especially when they target critical health infrastructure and sensitive patient data.
The significant disruption to health services is to be condemned, especially at this time. Any public release by the criminals behind this attack of any stolen patient data is equally and utterly contemptible. There is a risk that the medical and other data of patients will be abused. Anyone who is affected is urged to contact the HSE and the Garda authorities.”
The Financial Times reported that the attackers demanded 20 million USD to restore the encrypted data. The Irish Government and the affected healthcare organizations adopted a no-pay policy and have seemingly stuck to their guns. This is possibly an indication that the organizations impacted had a comprehensive backup solution from which data could be restored.
However, the hackers noted that they had stolen 700GB worth of data from the healthcare services impacted. The data is believed to include patients’ home addresses and telephone numbers, as well as staff employment contracts, payroll data, and financial statements.
Ransomware Gang Releases Free Decryptor
On May 20, Bleeping Computer reported that the Conti gang had released a free decryptor to the healthcare organizations. It is hard to say if the decryptor was released as some kind of an apology as the gang was still demanding nearly 20 million USD to stop the release of sensitive data stolen before encryption. The ransomware’s Tor site operated by the gang issued a statement saying,
“We are providing the decryption tool for your network for free. But you should understand that we will sell or publish a lot of private data if you will not connect us and try to resolve the situation,”
With that statement in mind, suggesting that the gang is remorseful for their actions would be a stretch of the imagination. Seemingly in response to this, the Irish Courts have issued an injunction against the Conti Ransomware gang, demanding that stolen HSE data be returned and not sold or published. The order actively looks to prevent the gang from publishing, selling, or sharing any of the stolen data with the public.
The gang can ignore the court order, however, this comes with significant risk, and even more, charges being laid against the gang and its associates. This would not be the first time the Irish courts have been approached to make such an order. SouthWire is an ISP provider that was impacted by a Maze ransomware gang. The company approached the courts to help prevent the publishing of stolen data. The court filings read,
“This is a civil action for injunctive relief and damages against Defendant arising under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, and the common law of trespass to chattels. As further alleged below, Defendant wrongfully accessed Southwire’s computer systems and extracted Southwire’s confidential business information and other sensitive information from the computer systems. Defendant then demanded several million dollars to keep the information private, but after Southwire refused Defendant’s extortion, Defendant wrongfully posted part of Southwire’s confidential information on a publicly-accessible website that Defendant controls.”
At the time there were questions as to how effective such orders can be. Rather pragmatically, attorneys reasoned that organizations impacted could then reclaim money if the government managed to reclaim funds. The order would also assist victims in closing down sites and servers in countries with agreements with the host nation or signatories to specific international laws.
New Zealand and Canada navigating Similar Crisis
In New Zealand, the IT systems and services had to be taken offline following a cybersecurity incident. Clinical services at hospitals in Waikato, Thames, Tokoroa, Te Kuiti, and Taumarunui have all been affected by the attack. Even the landline phone services are down, and the government has said some outpatient appointments may need to be canceled. More than 30 elective surgeries were canceled in recent days due to the outage.
In addition, the Canadian insurer Guard.me, one of the world's largest insurance carriers, is still dealing with a downed website following "suspicious activity was directed at the guard.me website." The site is still down, with a lengthy message explaining that they took down their website as a cautionary measure. The insurer issued a letter admitting that the “suspicious activity” they caught was actually someone gaining access to a database that contained the dates of birth, genders, phone numbers, email addresses, mailing addresses, passwords of students.
For any who thought after the SolarWinds incident that ransomware and other threats such as data breaches would disappear into the shadows to let state-sponsored groups take all the limelight, recent events prove such a view wrong. The truth is experts in their field didn’t think such a reality would come about. It’s not like cybercriminals, state-sponsored or financially motivated, operate to time schedules or gentleman’s agreements as to where and when they will strike. Continued attacks against stretched healthcare services prove this.