The most significant cyberattack committed on an Irish state agency in the history.
In May 2021, a major ransomware attack forced the health care system of Ireland of its tracks. It was the most significant cyberattack committed on an Irish state agency in the history.
The Health Service Executive (HSE) is the publicly funded healthcare system in the Republic of Ireland and the cyberattack affected almost every part of its system, already worn down by more than one year of fighting the pandemic. Hospital appointments were highly affected and got cancelled across the whole country, including all outpatients and radiology services. In most cases, electronic systems and records were no longer accessible, instead the health care professionals had to rely on paper records, reporting BBC News.
Significant disruptment was detected in almost all hospital routines. The canceled appointments often referred to scans, diagnoses and other important checkups. Anne O Conner, Chief Operations Officer of the HSE, said in relation to the happening that some cancer and stroke services had been affected. The BBC interviewed some of the affected cancer patients, and one woman expressed following:
“I got a call at lunchtime and was told that my radiation wouldn’t be going ahead because of the cyber-attack. For the space of time when my radiation was paused, there was huge worry”
The government refused paying the criminals
The Irish government received a ransom demand of $25m to be paid in order to restore the system, but prime minister Micheál Martin rapidly responded, “We are very clear, we will not be paying any ransom or engaging in any of that sort of stuff”, according to RTE News.
The cybercriminals first tried to wait for the government to change their mind but when nothing changed, the criminals offered the HSE a decryption tool for free meanwhile they still kept on threatening to publish the data, by going out on the dark web with following message, demanding the government to cooperate with them:
„But you should understand that we will sell or publish a lot of private data if you will not connect us and try to resolve the situation“
It is still unclear why the decryption tool was given but the Irish government said that the tool got the healthcare system back to normal sooner than the process would have been of rebuilding it up again from scratch, reporting BBC.
According to Irish Times, the group responsible for the attack was identified as Wizard Spider, using conti ransomware as their primary tool, and are believed to be operating from Saint Petersburg in Russia, according to The Irish Times. The National Cyber Security Center reported that, the penetrating testing tool Cobalt Strike, was used to move through and infect HSE, and to run executable files and deploying the variant of ransomware that was used. Cobalt Strike allowed the systems to be controlled and the software to be deployed remotely.
A slow recovery
The ransom fee was never paid and even though a decryption tool was offered and used, the HSE still felt the direct and indirect effects of the attack even three months after its start. A section of HSE’s website remained devoted to give updates on services statuses due to the attack, and many emergency departments were still busy trying to recover. Radiology continued to be highly affected, x-ray appointments remained cancelled, and staff still did not manage to access to their own emails. First in September 2021, it was announced that all systems finally had recovered, according to BBC News.