Unsuccessful Conti Ransomware Attack Still Packs Costly Punch | Threatpost

Ireland’s department of health services continues to grapple with a ransomware attack that occurred last week by the Conti gang. Officials state the attack will cost tens of millions to repair, even though attackers were not successful in their attempt to encrypt systems on Ireland’s Department of Health (DoH) systems.

“Hundreds of people” are still “working flat out” to get all Ireland DoH services and systems up and running, Irish Health Minister Stephen Donnelly tweeted late Monday as an update to the attack that occurred last week.

The incident that affected the DoH was part of a one-two punch that came with a separate attack that affected the Irish Health Service Executive (HSE), which also was attributed to Conti gang. In that incident, systems were encrypted and health officials also continue to work to resolve the situation.

Hundreds of people are working flat out in response to this despicable cyber attack on our health system and on patients. We’re focused on getting health services and appointments for patients back on track as quickly as possible. (1/4)

— Stephen Donnelly (@DonnellyStephen) May 17, 2021

Attackers have reportedly asked for a $20 million ransom, which the HSE has said it will not pay, according to a report by BeepingComputer . The Conti gang is known for asking exorbitantly large ransoms from public institutions, which typically aren’t the most cash-rich; it previously demanded a $40 million ransom from a Florida public school district.

In the case of the DoH, “the deployment of tools during the investigation process an attempt to execute ransomware was detected and stopped,” according to a report on the incident by the Irish National Cyber Security Centre (NCSC) published Sunday.

Fortunately, Ireland’s COVID-19 vaccination program was not affected, Donnelly said, as it is on a different IT system, nor were coronavirus testing and tracing or emergency health services, he said.

“Many important health services are running including emergency departments, the National Ambulance Service, the vaccine programme, testing & tracing, much community care, and more,” he tweeted.

Attack Disruption and Timeline

However, appointment scheduling was disrupted and hospitals across the country reported having to cancel health appointments and procedures, according to the NCSC. The DoH is the principal public health system that provides services to Ireland’s nearly 5 million residents.

“There are serious impacts to health operations and some non-emergency procedures are being postponed as hospitals implement their business continuity plans,” according to the report.

The attacks were first detected last Thursday when the NCSC noticed suspicious activity on the DoH network and immediately launched an investigation together with a third-party security provider, it said. Ireland’s national police service, An Garda Síochána, as well as the Office of the Government Chief Information Officer (OGCIO) and other contractors also are assisting in the investigation.

Officials seem to have first noticed the incident on the HSE network, with investigators identifying “a human-operated ‘Conti’ ransomware attack that had severely disabled a number of systems and necessitated the shutdown of the majority of other HSE systems.”

Around the same time, the team also detected malicious cyber activity on the DoH network. However “due to a combination of anti-virus software and the deployment of tools during the investigation process an attempt to execute ransomware was detected and stopped,” officials shared.

“Preliminary investigations indicated suspected presence of cobalt strike Beacon, which is a remote access tool,” according to the report. “Cobalt strike is often used by malicious actors inorder to move laterally within an environment prior to execution of a ransomware payload.”

Ransomware on the Rise

Indeed, the Conti ransomware gang claims to have had access to the HSE network for two weeks prior to the NCSC noticing the attack, according to the report in BleepingComputer, which said it viewed a screenshot of a chat between Conti and Ireland’s HSE.

During that period, attackers said they stole 700 gigabytes of unencrypted files from the HSE, including patient info and employee info, contracts, financial statements, payroll and more.

The Conti gang is one of a number of ransomware groups that have been making life difficult lately for organizations across the world and even causing serious disruption to global markets.

Of these, DarkSide in particular has been extremely active, crippling a major U.S. oil pipeline a week and a half ago—which caused an emergency declaration in the United States—and then attacking Toshiba not long after. The flurry of activity in this cybercriminal arena spurred the Russian-language cybercriminal forum XSS to ban ransomware activity from its site.

Download our exclusive FREE Threatpost Insider eBook, 2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!