Conti ransomware gang appears to be behind Ireland's Health Service Executive (HSE) ransomware attack, according to reports. HSE, a $25 billion public health system, shut down its IT systems to protect the service from further damage, switching to a paper-based system. Though life-saving equipment and COVID-19 vaccine programs were still operating, several healthcare practices across Ireland were forced to cancel low priority appointments.

The Irish National Cyber Security Centre (NCSC), along with the HSE and partners, is leading on triage and investigation, and has activated its incident and crisis response procedures, providing ongoing support to the HSE. NCSC said it had detected suspicious activity on the network of the Department of Health (DoH), but was able to stop the attack before the ransomware executives. Leaders at the NCSC believe this attempted attack was part of the same campaign that affected HSE.

Initial reports indicate a human-operated Conti ransomware attack severely disabled a number of systems, the NCSC said. "Cobalt Strike beacons discovered on systems suggest that it was used to move laterally within the environment prior to executing the Conti ransomware payload," the agency said in a statement. 

The Conti ransomware operation first appeared in May 2020 and has become increasingly sophisticated since then, according to Cybereason. The group uses phishing attacks to install the Bazar backdoor malware that connects the victim's device to Conti's command-and-control server. Conti then attacks, encrypting data on the infected machine, then using a double-extortion technique, beginning with a demand for a ransom in exchange for a decryption link, according to WAMS

Recently, a cybersecurity researcher shared a screenshot of a chat between Conti and Ireland's HSE with BleepingComputer. In the screenshot, the Conti gang claims to have had access to the HSE network for two weeks. During this time, they claim to have stolen 700 GB of unencrypted files from the HSE, including patient info and employee info, contracts, financial statements, payroll, and more. Conti also said that they would provide a decryptor and delete the stolen data if a ransom of $19,999,000 is paid to the threat actors.

However, the Primer Minister of Ireland, Taoiseach Micheál Martin, said they refuse to pay the $20 million ransom demand to the Conti ransomware gang.
Tim Wade, Technical Director, CTO Team at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyberattackers, says, "Ransomware in the healthcare sector is more evidence of the merging of physical and digital life. This is no longer simply a technology problem, it’s a social problem that will increasingly impact and diminish the quality of life and care that individuals depend on.  The longer this goes undealt with, the more common we’ll expect to hear these cautionary tales – let’s hope they spur action, not numb indifference."

Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, explains that while there’s no silver bullet to protecting your organization against these attacks," implementing a Zero Trust approach and continuously monitoring the identity and risk posture of any device or user that wants to consnect to your infrastructure is a good place to start. Implement granular and dynamic access controls to mitigate the risks of compromised devices or accounts sneaking into your infrastructure and having access to everything. You need to isolate application access from network access to prevent threat actors from getting into your infrastructure and moving laterally. Web-enable your on-premise apps and extend the same strong authentication security benefits associated with SaaS apps and web services to IaaS and private applications. Continuously assess risk of employees and their mobile devices."

Schless adds, "Mobile has now become a primary way employees are staying productive. By proactively securing these devices you mitigate the risk of credentials being phished across both personal and work channels. "