Double ransomware attack targets Irish healthcare system

abstract image Light traces. visualization of hacker attacks on information data server

Criminals have launched a ransomware attack against the Department of Health in Ireland, shortly after a similar cyberattack shut down much of the IT infrastructure at the Health Service Executive (HSE). 

The Irish government confirmed the latest attempt yesterday, two days after the HSE was hit by a new variant of the Conti ransomware virus – thought to be run by Russia-based criminal group Wizard Spider – that was able to evade its security protocols.

Police say that the intent seems to be to extort money, following the common modus operandi of encrypting files until a ransom is paid.

In this case, it has been reported on the Bleeping Computer website that the hackers are seeking $20 million in order to decrypt the data and delete some 700Gb of unencrypted files siphoned from HSE databases.

Sometimes hackers also threaten to leak data if the organisation doesn't pay up, and can even target individuals if sensitive data has been exposed.

The HSE refused to pay any ransom "in line with state policy", and it seems likely that the second attack has been carried out by the same criminal gang in an attempt to ratchet up pressure.

Security experts have recorded a dramatic increase in extortion attacks on the healthcare sector since the start of the pandemic – a 580% increase according to a recent report from CrowdStrike – as criminals hope that overstretched services will be more likely to pay up in desperation.

The HSE said late last week it had shut down IT services as a precaution, and was seeing severe disruption to X-ray appointments although it said most others – including COVID-19 vaccinations – were going ahead as planned. The Health Department has also shut down some IT systems.

CrowdStrike said in March it had recorded 97 ransomware attacks on health organisations in 2020 out of a total of 1,430 incidents, placing it among the top five most targeted sectors.

That occurred even though some notorious groups that target bigger, more secure targets like government departments – known as Big Game Hunters – had pledged not to target medical organisations during the crisis.

Another report issued by security specialist Check Point last month found that healthcare is now the most targeted sector, with an average of 109 attacks attempts per organisation every week, with utilities the next worst affected with 59 per week.

The Department of Health wasn't able to release its daily update on COVID-19 cases on Saturday, and confirmed in a tweet that was a result of the HSE attack.

"This attempted attack remains under investigation, however there are indications that this was a ransomware attack similar to that which has affected the HSE," said the Irish government in a statement.

"As the investigations into both incidents are ongoing, it is not possible to make further comment on the nature of these attacks at this time."