Ireland's nationalised health service has shut down its IT systems following a "human-operated" Conti ransomware attack, causing a Dublin hospital to cancel outpatient appointments.
The country's Health Service Executive closed its systems down as a precaution, local reports from the Irish public service broadcaster RTÉ said, reporting that Dublin's Rotunda Hospital had cancelled appointments for outpatients – including many for pregnant women.
"The maternity hospital said all outpatient visits are cancelled - unless expectant mothers are 36 weeks pregnant or later," reported RTÉ, adding: "All gynaecology clinics are also cancelled today."
Ireland's National Maternity Hospital, also in Dublin, was similarly affected.
There is a significant ransomware attack on the HSE IT systems. We have taken the precaution of shutting down all our our IT systems in order to protect them from this attack and to allow us fully assess the situation with our own security partners.— HSE Ireland (@HSELive) May 14, 2021
Fergal Malone, chief of the Rotunda Hospital and a senior HSE bod, said: "There has been a significant ransomware attack on the HSE IT systems. They have taken the precaution of shutting down all their IT systems in order to protect them from this attack and to allow the HSE to fully assess the situation with their security partners. The HSE apologises for the inconvenience to patients and to the public."
Paul Reid, HSE chief exec, told Ireland's Newstalk FM radio station that the ransomware was "human-operated" and appeared to be the Conti strain:
Paul Reid says the major ransomware attack targeting the HSE is "quite sophisticated", while the COVID-19 vaccination programme isn't impacted as it's on a different system.@NTBreakfast pic.twitter.com/XXtzlzBQAV— NewstalkFM (@NewstalkFM) May 14, 2021
"We have been the subject of a major ransomware attack… it's what's known as a Conti human-operated attack to get access to data," Reid told the radio station.
He added in a separate interview that the Irish Defence Forces' cybersecurity personnel were helping with the response. So far no ransom demand has been disclosed by the HSE and nothing related to HSE has appeared on Conti's Tor leaks blog.
Conti deployed by WizardSpider crew
Conti previously targeted the Scottish Environmental Protection Agency, though that January attack left the criminals empty-handed after SEPA wisely decided not to pay. The same criminals were behind the compromise of British clothing retailer Fatface, successfully stealing personal data and payment card details in the process.
William Thomas, a researcher from infosec firm Cyjax, told The Register: "Conti is a human-operated ransomware strain linked to a cybercriminal gang tracked by the private industry as WizardSpider. It has leaked the highest number of victims to its darknet wall of shame, at 339 by my count.
|Its connections to Ryuk ransomware are also significant as it has also gone after hospitals in the US and France. Conti's typical initial access vector is via malicious spam campaigns pushing BazarLoader or Trickbot; Cobalt Strike continues to be the ransomware operators' tool of choice."
Crowdstrike's summary of WizardSpider pegs the gang as being "Russia-based" and mostly "opportunistic" in its targeting. The criminals' activity was "sporadic during the first half of 2020" but increased after they began using Conti, with Crowdstrike saying: "Conti victims span multiple sectors and geographies, the vast majority of which are based in North America and Europe."
Sophos reckons the Conti malware deploys through the (ab)use of Cobalt Strike, with the company's detailed analysis highlighting that Conti's operators use the double-extortion ransomware business model: encrypt the target network after exfiltrating data and demand a ransom both for the decryption utility and to "prevent" publication of the data. Obviously nobody can guarantee that criminals stick to their promises.
Reg reader Pat speculated to us that the ransomware hadn't reached every part of the HSE's IT estate: "The HSE vaccination IT system seems to use Salesforce, from looking at the headers of my registration email, so maybe that's why news reports are saying that is unaffected."
Ransomware attacks on healthcare organisations have slowly become the norm. As the COVID-19 pandemic took hold worldwide in March 2020 a handful of prominent extortionist gangs promised not to attack hospitals and medical research institutes.
This lasted all of six months as criminal gangs, largely based in Russian-speaking countries, realised that healthcare organisations were more likely to pay ransoms immediately than other sectors that could cope without their IT systems for days or weeks at a time. ®