Conti ransomware, when cyber prevention protects (literally) your data
It was May last year when the Irish healthcare system was attacked by the most well-known and feared ransomware in the cyberthreat landscape: Conti.
It is the “human-operated” ransomware thathas been breaking into corporate networks for more than a year. After stealing sensitive data and encrypting it, the perpetrators threaten their victims to make it visible on the “Conti News” website if the demanded ransom is not paid. This is more or less what happened in May 2021 to the healthcare system of one of the most advanced European countries. As a precaution, the agency had shut down all of its IT systems “in order to protect them and allow us to fully assess the situation with security partners.” They wrote in a press release. It was a real criminal operation orchestrated at the international level, a very sophisticated attack that affected all local and national systems.
So, a few days ago, the
U.S. Department of Health and Human Services
published a note that paints a grim picture of what happened. The healthcare system has been literally overwhelmed. Clearly, the consequences have been devastating for the health system and especially for citizens, even more so with a Covid-19 pandemic in the middle. This has led to major disruptions to health services across Ireland as well as stealing the information of thousands of Irish people, including protected health information.
The incident report, commissioned by the Irish
HSE
Council in June 2021, reveals that the impact of this attack on the IT environment was mainly caused by a lack of prevention.
From what emerges from the analysis of the incident, the HSE did not have a cybersecurity manager, “there were no IT security managers or managers at the time of the incident. There was no dedicated committee to provide direction and oversight of the activities needed to reduce cyber risk exposure.”
And that’s not all. “The HSE did not have a centralized cybersecurity function that managed cybersecurity risks and controls.”
To top it off, no security monitoring solutions have been implemented to help investigate and respond to security threats detected in the IT environment.
The digital bandits provided the Irish healthcare system with a free decryptor to restore the systems. Poor consolation. However, they made it clear that they would sell or publish the stolen data if the HSE did not pay a ransom of as much as $20 million. “We are providing the decryption tool for your network for free. – they wrote coldly in the chat -But you should understand that we will sell or publish a lot of private data if you don’t try to resolve the situation.” In short, forewarned is forearmed. This is how the gang of criminals 2.0 operated.
But the government did not bow to blackmail and although the incident led to widespread disruption in Irish health services, Taoiseach Micheál Martin, the Irish Prime Minister, said the HSE would not pay any ransom. So the stolen files were uploaded to “VirusTotal”. An Irish court subsequently ordered VirusTotal to provide any information about subscribers who downloaded or uploaded confidential data (including email addresses, phone numbers, IP addresses, or physical addresses) stolen from Ireland’s national health network.
This story leaves a bitter taste in the mouth because the stolen files were downloaded 23 times by VirusTotal subscribers before the service removed it on May 25, 2021. The moral of the story is that it would have taken very little to keep thousands of citizens safe: an effective prevention system and adequate professionals.
