Ireland's Health Service Executive (HSE) has been praised for its response after falling victim to a major ransomware attack and for not giving into cyber criminals and paying a ransom.
HSE was hit with Conti ransomware in May, significantly impacting frontline health services. The attackers initially demanded a ransom of $20 million in bitcoin for the decryption key to restore the network.
While the gang eventually handed over a decryption key without receiving a ransom, they still published stolen patient data – a common technique by ransomware attackers, designed to pressure victims into paying.
HSE's decision not to pay the ransom has been praised by the head of the UK's National Cyber Security Centre (NCSC), Lindy Cameron, especially as the attack had "crossed a line" by disrupting hospital appointments and health services across Ireland.
"I would like to praise the Irish response not to pay the ransom. Cyber criminals are out to make money – the more times a method is successful, the more times it will be used," she said in a speech to the Institute of International and European Affairs (IIEA), an Irish think tank.
The HSE ransomware attack happened around the same time as two other high-profile incidents – the Colonial Pipeline ransomware attack and the JBS ransomware attack. Unlike HSE, both of these organisations paid cyber criminals millions of dollars in bitcoin in exchange for the decryption key.
Colonial and JBS are far from alone in paying ransoms. But many in law enforcement argue that paying the ransom perpetuates the problem, and provides gangs with resources to launch even more ambitious attacks against other targets.
There's also no certainty that paying the ransom will even solve the problem, because it involves trusting that criminals will hold up their end of the bargain – they could easily just take the money and run, or return with an additional ransomware attack.
"Payment of ransoms is no guarantee that you will get your data back – and certainly no guarantee you won't be attacked again – in fact, advertising a willingness to pay makes someone a more interesting prospect," said Cameron.
"So it's important that we do all we can to ensure this is not a criminal model that yields returns. The government's strong action of refusing to pay will likely deter ransomware operators from further attacks on health sector organisations – in Ireland or elsewhere," she added.
Despite receiving the decryption key, restoring the network has been a long and arduous process for HSE and disruption to health services across Ireland is expected for months to come. The NCSC has been helping Ireland's defence forces in the aftermath of the incident, using experience from the WannaCry ransomware attack, which disrupted NHS networks across England.
"As you would expect from a close partner, we did all we could to support our partners in Ireland when the HSE attack took place. This included sharing as much relevant information as we could – both from a cybercrime and a law enforcement perspective," said Cameron.
"The global nature of the cyber threat means that our international partnerships are critical to countering and deterring malicious cyber actors who want to cause harm to the UK," she added.
MORE ON CYBERSECURITY
- Ransomware: How the NHS learned the lessons of WannaCry to protect hospitals from attack
- 9 tips to protect your organization against ransomware
- Ransomware is now a national security risk. This group thinks it knows how to defeat it
- FBI and European law enforcement shut down VPN used by ransomware groups
- This company was hit by ransomware. Here's what they did next, and why they didn't pay up