Unpicking the Irish Healthcare Ransomware Attack

It was described as the most significant attack ever to hit the Irish government. Earlier this year, cybercriminals targeted the Irish healthcare system with a ransomware attack that crippled systems and risked data belonging to millions of patients. It was the latest in a long line of similar attacks and reiterated the vulnerability of healthcare systems. However, on this occasion, it did come with an unexpected twist. With systems down, the hackers popped up with a solution giving the government access to their operating systems again. However, they retained the threat of exposing the data.

So, what does this attack tell us about the state of ransomware in 2021 and what lessons should IT departments learn?

The rise of cybercrime

Ransomware is one of the fastest-growing forms of cybercrime in the world, but the pandemic infused it with new momentum. In 2020 the number of ransomware attacks increased by 485% and accounted for nearly a quarter of all cyberattacks.[1] In 2021, the average cost of ransomware attacks has more than doubled to almost $2mn.[2]

As the name implies, attackers effectively hold their victims to ransom by either:

1.       Denying service: Locking users out of their systems, making it impossible to continue operations.

2.       Naming and shaming: Attackers will blackmail targets by threatening to publish their online information. Blackmail is particularly potent against organizations that process large quantities of sensitive personal information.

The health sector is a frequent target, even more so over the past year. According to a Sophos ransomware report, 34% of health organizations had experienced some form of ransomware attack during the pandemic. Of those who had not yet been targeted, 41% feel it’s only a matter of time, and 55% now believe ransomware attacks are too sophisticated to stop.[3]

That sense of fatalism creates a dangerous impression of a sector that, in many cases, has thrown in the towel on cybercrime. An attack is coming, they assume, and they can do nothing to stop it.

These doom-mongers are right about one thing: attacks are coming, thick and fast. The health sector represents ransomware’s ideal target. It depends on access to data and processes vast quantities of sensitive patient details. The recent outcry over the sharing of National Health Service (NHS) data is specifically down to the fear of the immense damage done if that information were to be breached.

Worse still for healthcare providers, cybercriminals see them as ripe targets. The health sector is a large and complicated beast. It encompasses multiple departments, each of which has its own systems. As a result, maintaining effective and consistent cybersecurity defenses is almost impossible.

The Irish attack

The attack against the Irish healthcare systems is one of the biggest ever to target the government there. On May 14th, staff arriving at hospitals across Ireland found their screens had gone dark. A massive ransomware attack had crippled the Health Service Executive (HSE) systems forcing the cancellation of appointments and forcing staff to keep patient records on paper. But, more importantly, it blocked access to patient records, compromising care quality and putting lives at risk.

The attack began in the early hours of May 14th and targeted the systems of Ireland’s HSE. However, what made it especially concerning was the hackers’ claim that they had been in the system for weeks and had harvested around 700GB of data.

In a letter, hackers demanded $20mn to restore services. If this was not paid, they said, not only would access be denied, but they would publish the data on the dark web.

This was, therefore, a double-pronged attack. First, hackers used the critical nature of operations to block access to medical operations and cause chaos forcing health services to choose between paying a ransom and patients’ lives. Second, they also used the sensitive nature of patient information to threaten its exposure if the Irish government did not meet demands.

Here at least, though, the attack is different than many of the others. Unusually for cybercriminals, the hackers gave the health service a decryption key to give them access to systems once more. The government revealed it was testing the key and stated HSE would pay no ransom.[4]

Origin of the attack

The attack is the latest in a series of attacks against public infrastructure around the world. It follows hot on the heels of the attack on the Colonial pipeline in the US, which prompted President Joe Biden to sign an executive order designed to strengthen the US government’s resilience against cyber-attacks.

Investigations revealed it to be the work of the Conti crime syndicate, also known as Wizard Spider. This is human-led hands-on keyboard ransomware that encrypts data and spreads across a system exceptionally quickly. The criminals were thought to have been in the IT system for weeks previously and had encrypted a massive volume of data, including personally identifiable data of doctors, nurses, and patients.

Conti had previously turned over the retailer Fat Face, which paid out a ransom of $2mn to restore its data. Amongst the information that was stolen were bank details and the national insurance numbers of customers. Hackers had initially demanded a ransom of $8mn in Bitcoin but had been negotiated down after the chain pointed out its sales had slumped 75% thanks to the pandemic. 

Others have refused to pay the ransom and have suffered the consequences. Conti has already published stolen data from around 180 victims so far via its Conti News site. Experts have revealed that the software used has undergone extensive development over the past year and shares similarities with other ransomware families used against health services such as Ryuk.

Response and fall out

In the wake of the attack, the Irish Government revealed that the data had been compromised. The National Cyber Security Center activated its response and said it also identified suspicious activity on the network of the Department of Health. However, they had been able to stop it before systems were compromised.

The HSE has also obtained a High Court order preventing the hackers or any other organization from disclosing the data. The order also applies to social media platforms such as Twitter, Google, and Facebook, limiting the hackers’ option in spreading the data.

The government has also set up a helpline for anyone who is approached and told their health details will be published online as a result of the attack.

In general, the Irish public is said to have been supportive of the government’s handling of the situation, including their decision not to pay a ransom. However, the attack does highlight the vulnerability of the health services systems to attack.

According to reports, one of the main reasons for the attack was the weakness of the HSE’s IT infrastructure. They are thought to have been running an old, outdated version of Windows which did not possess the latest security updates.

As such, the HSE lay open to accusations that they failed to secure their systems properly. It also raises the possibility that it may face legal action from people whose data is exposed and substantial fines under the terms of the General Data Protection Regulation (GDPR) for failing to safeguard the data of individuals adequately.

Lessons to be learned

This should be one of the critical lessons learned by the Irish government and any other organization involved in the processing of personal data. Attacks are on the rise. Ransomware is surging both in volume and in the sophistication of attacks. Those who have studied previous attacks by Conti say it has developed considerably.  

That in itself should be a clear reminder to companies and individuals to ensure all operating systems are up to date. Software developers are constantly updating their products to protect against the latest threats. Failing to install these updates leaves systems open to attack.

In the HSE case, which appears to have been using an outdated version of Windows, such an attack does indeed become almost inevitable.

Outdated software is one of the biggest and commonly ignored vulnerabilities. Even now, countless people and organizations are at risk of attack as they use an outdated Zoom version. The popular video conferencing software has updated its software to plug vulnerabilities; however, many companies and people are still using outdated software versions.

The health sector faces another major challenge in updating IT provisions across the board. Health services have found it notoriously difficult to adopt digital innovation, especially when it comes to cybersecurity. A massive system in which different parts use different operating systems makes it difficult to impose a comprehensive security strategy from one part to another.

In developing a more secure infrastructure, health services need to find ways to reduce variation and ensure a consistent approach to security across the entire landscape.

In doing so, they have to cope with a challenge every business faces: human error. Unfortunately, this continues to be the most common form of attack. The group behind Conti has regularly used phishing campaigns to get behind defenses and exploit weaknesses in software and hardware.

While organizations can update their defenses, they are still vulnerable to individuals mistakenly downloading software onto the system. If the attack is sufficiently sophisticated, it may even go undetected at the point of download. By focusing on employee education and building a clear set of protocols around the treatment of emails, organizations can reduce — if not eliminate — the human element of their vulnerabilities.

Safeguarding against future attacks

This attack goes down not just as one of the most significant against a government organization but also as a snapshot of ransomware’s main challenges. The pandemic has seen a surge in attacks. Health services are right in the attackers’ crosshairs, but as the response from the Irish HSE shows, many are leaving the door wide open to attackers.

In part, this stems from complacency or a desire to save money by using outdated operating systems. However, as the State of Ransomware survey showed at the beginning of this report, it also stems from a fatalistic sense of resignation. Health services are resigned to the inevitability of an attack and have been slow to upgrade their defenses, viewing it as an unavoidable part of doing business.

The Irish attack shows this needn’t be the case. Instead, the attackers exploited key gaps in the HSE’s defenses which, if plugged, may well have eliminated the threat at the source.

Sources:

1. Fitchratings.com: Ransomware Attacks a Growing Global Security and Financial Threat.
2. Itpro.co.uk: Average ransomware costs have more than doubled in 2021
3. Secure2sophos.com: Ransomware Report: Sophos State of Ransomware Report 2022
4. Hstoday.us: Hackers Bail Out Irish Health Service for Free 

‍