How Ransomware Cost Ireland’s HSE $600 Million

January 10, 2022

In the spring of 2021, Ireland’s public health system was targeted with a ransomware attack that resulted in widespread disruptions to patient care and hundreds of millions in costs. In a scathing post-mortem report, consulting firm PricewaterhouseCoopers found that the intrusion went undetected for two months before the threat actors dropped the ransomware payload. This blog explores the factors that led to this attack and what steps can be taken to ensure this type of threat will not affect your organization.

Overview of the attack

In May 2021, Ireland’s Health Service Executive (HSE), the republic’s publicly-funded health system operator, was hit with a Conti ransomware attack. The hackers – identified as a Russian criminal gang known as Wizard Spider – encrypted HSE servers and shut down local and national networks, resulting in significant disruption of healthcare services. The hackers demanded a $19 million ransom in exchange for providing the decryption keys for the servers but ultimately gave the keys to HSE without requiring payment. The ransomware attacks took HSE months of work and approximately $600 million to decrypt, restore, and fortify their systems. The malware attack on the HSE has been labeled as the most significant cyberattack in Ireland‘s history.

Timeline of the malware attack

On March 18, 2021, an unsuspecting HSE employee opened a phishing email and clicked on a malicious Microsoft Excel document. This innocent action allowed the hackers to open a backdoor connection to the HSE’s network and use a remote access tool to move laterally within HSE’s environment. Evidence showed that personal information of patients and HSE staff was accessed in the attack, and some data was shared on the dark web. The hackers’ intrusion remained undetected for eight weeks before they dropped the Conti ransomware on May 14, 2021. According to PwC’s report, HSE’s IT administrators failed to respond to multiple warning signs about a network instruction that indicated an imminent attack. 

After the hack, HSE shut down its systems throughout Ireland to prevent the malware from spreading further, forcing facilities to revert to paper-based processes and causing widespread delays and service disruptions. HSE refused to pay the ransom and instead turned to Ireland’s National Cyber Security Center for assistance. While Conti ultimately provided the decryption keys without receiving the ransom they initially demanded, HSE still took until September 21, 2021 to finish decrypting its servers.

PwC’s timeline of the attack:

PWC’s timeline of the days leading up to the deployment of Conti ransomware on May 14.

Impact of this new threat 

The increased digital accessibility of health records in recent years has come with a risk: increased exposure to cyber-attacks. According to HealthcareIT News, more than 40 million patient records were breached in the first 11 months of 2021. Phishing attacks are the weapon of choice for these threat actors as they recognize that most healthcare networks are fortified against direct cyberattacks. Instead of attempting a direct breach, they target users hoping that human error will open the door to their malware injections, such as the malicious Excel document that resulted in HSE’s ransomware attack. Unfortunately, their efforts often bear fruit.  

Votiro mitigates the risks of malicious documents 

To avoid being compromised as a result of a cyberattack, healthcare organizations – and any other organizations – must protect themselves against weaponized files. The only way to ensure a file is truly safe while maintaining its accessibility is by deconstructing it, removing any malicious or suspicious elements that do not match the format’s set policies or standards, and reconstructing the neutralized file for full functionality – all within the rapid pace of the business workflow.

Votiro’s Zero Trust content disarm and reconstruction solution offers protection against weaponized files. Unlike detection-based file security solutions that scan for suspicious elements and block just some malicious files, Votiro’s revolutionary Positive Selection technology allows through only the safe elements of each file, so that files that enter the organization are safe.

To learn more about implementing Votiro’s technology to secure your network against malicious files and other threats, please schedule a demo today.