14 DAY TRIAL // Conti ransomware group is responsible for Ireland's Health Service Executive (HSE) ransomware attack.
HSE, a $25 billion public health system, shut down its IT systems and transitioned to a paper-based system to protect the program from further damage.
Even though life-saving equipment and COVID-19 vaccine services remained operational, many healthcare practices across Ireland were forced to cancel low-priority appointments.
Over the course of two weeks, the Conti ransomware gang claims to have stolen 700 GB of confidential data from the HSE. Patient records, contracts, financial statements, and payroll information are among the stolen data.
The Irish National Cyber Security Centre (NCSC), in collaboration with the HSE and other agencies, oversees triage and investigation and has triggered its incident and crisis management protocols, offering ongoing assistance to the HSE.
NCSC managed to stop the attack
The NCSC reported that it detected suspicious behavior on the Department of Health's (DoH) network but was able to avoid the attack before the ransomware executed. The NCSC's leaders claim the failed attack was part of the same effort that targeted HSE.
According to NCSC, "Cobalt Strike beacons discovered on systems suggest that it was used to move laterally within the environment prior to executing the Conti ransomware payload".
HSE refuses to pay the ransom requested by the ransomware gang
As reported by BleepingComputer, “Yesterday, a cybersecurity researcher shared a screenshot of a chat between Conti and Ireland’s HSE with BleepingComputer”.
“Conti further stated that they would provide a decryptor and delete the stolen data if a ransom of $19,999,000 is paid to the threat actors”.
What is Conti ransomware?
According to Cybereason, the Conti ransomware operation was first seen in May 2020 and has become more sophisticated over time. The group employs phishing attacks to distribute the Bazar backdoor malware, which links the victim's computer to Conti's command-and-control server. Afterward, Conti launches an attack, encrypting data on the infected computer.
The attack does not stop at this point, and after these actions it starts a double-extortion attack, starting with a ransom demand in return for a decryption connection, according to WAMS.