The United States Department of Health and Human Services recently released a threat briefing outlining the serious situation and serious mistakes made during the account ransomware attack on the Health Service Executive (HSE) in Ireland in 2021 and calling on all healthcare facilities to check if there were similar problems.
This attack resulted in a serious paralysis of the health service in Ireland. Thousands of Irish people’s immunization data (including a large amount of protected personal health data) were also stolen by the attacker from the HSE network, with a total data volume of approximately 700 GB.
In June 2021, the Irish Health Service commissioned PwC to conduct an independent post-event review. The US Department of Health and Human Services briefing was based on the report of that review. The review found that the reason for the huge negative impact of the attack on HSE IT was primarily due to the Department’s own lack of preparedness for such emergencies.
The U.S. Department of Health and Human Services mentioned in the briefing: “During the incident, HSE did not have a person responsible for network security, either at the senior or middle management level. HSE also did not have a dedicated committee to lead and oversee network security work and begin organizing specific actions to mitigate HSE network risks.”
“HSE also lacks cyber security discussion groups, making it difficult for them to have fine-grained cyber security discussions and records, as well as the ability to identify and monitor remedial actions. HSE simply does not have the centralized cybersecurity function necessary to manage and control cybersecurity risks.”
More importantly, HSE has not deployed security monitoring solutions to investigate and respond to security threats discovered in its IT environment.
For the above reasons, HSE is unable to respond to the malicious actions of the Conti ransomware gang.
Indeed, this wave of offensiveness is blatant. As early as 7 May 2021, a Cobalt Strike Beacon deployed on several HSE servers was detected by the endpoint antivirus solution, but the alert was ignored.
The U.S. Department of Health and Human Services also mentioned that “HSE management reported that 80% of IT ‘s infrastructure was extorted and encrypted by software in this attack.”
“ransomware attacks had a serious impact on communications. Since HSE previously used the local mail system (including Exchange) almost exclusively, communications cannot be used at all after encryption.”
Fortunately, the Conti ransomware is effective. Gang provided HSE with a free decryptor capable of restoring the system but warned that if HSE did not pay a $20 million ransom, the stolen data would be sold or publicly released.
Conti ransomware “We will provide network decryption tools for free,” Gang stated on the negotiation’s chat page, “but we need to clarify that if you fail to contact us and try to solve the problem, we will sell or publicly publish a large amount of private data.”
“HSE has indeed obtained the encryption key,” the Irish Ministry of Health stated at the time, “but it needs to conduct a security assessment and investigation on the key before it can be used on the HSE system.”
The HSE recovery work took over four months and cost more than 600 million US dollars. Special recovery funds totaling $120 million are primarily used to replace and upgrade all systems infected with blackmail software.
The blackmail software attack was the first time that network events impacted the country’s overall health services, and it was also one of the events with the longest interruption cycle directly caused by malicious attackers. In contrast, the Wannacry attack that swept the world in 2017 only affected a portion of the UK’s national health services.
Despite the fact that the attack paralyzed Ireland’s healthcare system, Irish Prime Minister Taoiseach Michel รก l Martin stated that the HSE would never pay a ransom.
A sample archive of stolen HSE files containing patient data was quickly uploaded to the VirusTotal malware scanning site shortly after the attack.
The Irish court then ordered VirusTotal to provide information on subscribers who had downloaded or uploaded this batch of confidential Irish national health care data (including email address, telephone number, IP address, or real residential address).
According to the foreign media journal, the number of downloads of the HSE stolen data archived on VirusTotal as of May 25, 2021, was 23 before the data was deleted.
The most valuable asset of a business is its information, which is stored in the form of data on computers and in the cloud. To ensure the continued operation and success of enterprise businesses, all types of data must be protected. Human errors, hard disk damage, computer viruses, natural disasters, and other factors can all result in data loss and immeasurable losses for businesses. The main issue is determining how to achieve instant recovery or disaster recovery in order to get back to normal operation. At the moment, the most effective and widely used method is to create an effective backup.