Ransomware: 'We won't pay ransom,' says Ireland after attack on health service

Ireland's health services are still recovering from a ransomware attack, but hackers shouldn't expect their demands to be met.
Written by Daphne Leprince-Ringuet, Contributor

The HSE has now confirmed that a ransom has been sought by the attackers.

Getty Images/iStockphoto

Ireland's Health Service Executive (HSE) has ruled out giving in to hackers' demands as the country's healthcare and social services continue to deal with the disruption caused by a significant ransomware attack that occurred a few days ago.  

The HSE has now confirmed that a ransom has been sought by the attackers, although the exact amount is yet to be clarified. "Following an initial assessment we know this is a variant of the Conti virus that our security providers had not seen before. A ransom has been sought and won't be paid in line with state policy," the HSE said.

Last week, the organization was targeted by a cyber-attack on its IT systems, which was described by government officials as possibly the 'most significant' case of cybercrime against the Irish State. Irish Taoiseach (Prime Minister) Micheál Martin also ruled out paying the gang, saying "We're very clear we will not be paying any ransom or engaging in any of that sort of stuff," according to broadcaster RTE.

The attack took the form of ransomware, which occurs when cyber criminals use a form of malware to encrypt networks, then demand payment in exchange for the decryption key. 

In response, the HSE immediately shut down all of its computer systems – a precautionary measure to protect the organization's networks from further attack. 

This has inevitably affected the delivery of key services across the country. In its latest update, the HSE said that patients should expect cancellations of outpatient services, with x-ray appointments and laboratory services, in particular, to remain severely affected.   

Patients will also see delays in getting their COVID-19 test results, and contact-tracing, while still operating as normal, will take longer than usual. 

COVID-19 vaccination appointments are going ahead as normal, maintained the health services, encouraging those booked in for a jab to attend their appointment as planned.  

Emergency departments, sexual assault treatment units and the national ambulance service are still operating.  

The impact of the attack varies across hospital and community services nationwide, with teams on the ground working to re-deploy staff and re-schedule procedures and appointments as needed, said the HSE.   

The organization has been working with the National Cyber Security Centre (NCSC) and third-party cybersecurity experts like McAfee to investigate the incident. The attack was identified as a human-operated ransomware variant known as "Conti", which has been on the rise in recent months

Conti operates on the basis of "double extortion" attacks, which means that attackers threaten to release information stolen from the victims if they refuse to pay the ransom. The idea is to push the threat of data exposure to further blackmail victims into meeting hackers' demands. 

"We are dealing with this in accordance with the advice we received from cybersecurity experts and I think we're very clear we will not be paying any ransom," Micheál Martin, the prime minister of Ireland, said during a news briefing. "So the work continues by the experts." 

Instead, the NCSC has recommended a remediation strategy that involves containing the attack by isolating the systems that were hacked, before wiping, rebuilding and updated all the infected devices. The HSE should then ensure that antivirus is up to date on all systems, before using offsite backups to restore systems safely. 

The HSE has confirmed that it is in the process of assessing up to 2,000 patient-facing IT systems, which each include multiple servers and devices, to enable recovery in a controlled way. There are 80,000 HSE devices to be checked before they can be brought back online.  

Priority is given to key patient care systems, including diagnostic imaging, laboratory systems and radiation oncology, and some systems have already been recovered. 

"Some progress has been made on getting servers cleaned, restored and back online. This is in line with the pace we had anticipated, and is a stepped, methodical process, to mitigate the risk of re-infection. We are also looking at interim solutions to get some servers back online in a proven safe way," said the HSE. 

But while it is clear that data on some servers has been encrypted, the organization conceded that the full extent of the issue is unknown at this point. 

Earlier this year, Conti claimed responsibility for an attack against the Scottish Environment Protection Agency (SEPA), during which 1.2GB of data was stolen. Thousands of stolen files were published after the organization refused to pay the ransom. 

The latest attack against Ireland's HSE comes only days after one of the largest pipeline operators in the US paid close to $5 million to a ransomware group that had encrypted key systems, which forced the fuel giant to temporarily close down its IT operations and hugely affected supplies across the country. 

Editorial standards