A surprising turnaround in the Irish cyber extortion case: the attackers on the HSE health administration handed over the tool to the government in Dublin with which data encrypted during the attack can be restored. A ransom was not paid for this, said Ireland’s Minister of Health Stephen Donnelly to the Irish broadcaster RTE. The government had not acted directly to accommodate the blackmailers, nor had a deal been made “through a third party or otherwise”. There will be no future ransom either.
“A lot of private data” is to be published
The cybercrime gang Conti, blamed for the “catastrophic hack”, is demanding a ransom of 20 million US dollars, according to previously unconfirmed chat logs circulating on the Internet. On their darknet page the perpetrators announced to the HSEthat “we provide the decryption tool for your network free of charge”. At the same time, they continued to threaten: “But you should understand that if you don’t contact us and try to resolve the situation, we will sell or publish a lot of private data.”
It is unclear why the attackers made the decryption solution available free of charge, said Donnelly. According to current knowledge, the attack on the HSE and a parallel, albeit unsuccessful, attack on the Irish Ministry of Health bear the signature of the Russian cybercrime group “Wizard Spider”.
Other online extortion gangs located in Russia such as DarkSide and REvil declared after the cyber attack on the operator of the Colonial Pipeline in the USA last week that they would no longer attack any organizations in the “social sector” such as health and educational institutions and generally no more public administration infrastructures in a country to want. US President Joe Biden had previously threatened “decisive steps” against the ransomware networks involved.
Irish Prime Minister Micheál Martin welcomed the release of the software needed for data decryption on Friday. But there is still an enormous amount of work to be done to get the largely shutdown health system up and running again. The risk that potentially tapped sensitive patient data would be published continues to exist, admitted the Taoiseach (Irish Prime Minister). He pointed out, however, that the HSE had obtained an injunction from the country’s highest court, the High Court: This would make it a criminal offense to publish data illegally obtained or stolen from the health administration.
The main purpose of the court order is to inform internet companies with upload platforms such as Google, Facebook and Twitter of the legal prohibition on passing on and publishing relevant information. Martin praised the previous cooperation with social media companies around the attack and their willingness to delete “accidentally” published data from HSE systems immediately. Compared to Darknet forums, however, the ruling is likely to be largely ineffective, as their operators can hardly be grasped.
HSE boss Paul Reid underlined on Twitter that the IT systems of the health administration could not simply be switched on again with one click, even with the activation codes. After the backups have been imported, they continue to work on “safely restoring” services and databases. The authority is checking what specific effects the decryption software has. He reckons that the consequences of the attack will be felt for a few more weeks.
16 minutes to compromise the network
In the USA, the FBI warned against Conti in parallel. It has already identified at least 16 attacks with the encryption Trojan, which targeted networks in the healthcare sector and the blue-light authorities. The blackmailers attacked more than 400 organizations worldwide, including over 290 in the United States. According to the police, the gang’s recent ransom demands alone amounted to up to $ 25 million.
Experts from the IT security company Sophos recently described a Conti attack they pursued as very quick and potentially devastating. The forensic analysis showed that “the attackers exploited holes in the firewall to compromise the network and gain access to the domain administration data in just 16 minutes.” Then “Cobalt Strike Agents” would be used on the Windows servers, which should form the backbone of the ransomware attack. The special thing about it is that the cyber criminals controlled everything themselves and did not rely on an automated routine.