Ireland Warns for Potential Leaks of Patient Data After Ransomware Attack

Last week Ireland's Health Service Executive was targeted by an unknown threat actor and was forced to take down all of its systems in an attempt to stop the spread of the ransomware used in the attack. Now the HSE is warning that there is a high risk of sensitive patient data being "abused" and leaked by the attackers.

The attack on Ireland's health system infrastructure came hot on the heels of two other major ransomware hits that took place within the span of just a few days. However, while the other two big attacks, targeting Colonial Pipeline in the US and Toshiba Corporation subsidiaries in Europe, were both the work of the DarkSide group and its affiliates, the attacker who targeted Ireland's health IT network is not yet known.

What is known so far is the strain of ransomware used in the incident. The bad actors deployed a version of the Conti ransomware. Additionally, investigation and efforts to bring the IT network back online revealed that the compromised systems also had the Cobalt Strike Beacon command and control module on them.

Despite the significant hindrance that the attack posed to the country's health and social services, Ireland's government has already stated clearly that they will not be playing along and no ransom will be paid. That is probably a wise choice, given how the Colonial Pipeline ransomware job went. It turned out that Colonial executed a payment of around $5 million merely hours after the attack, but the tool the company received from DarkSide was so slow in decrypting the data, it was virtually useless and the company proceeded to restore normal operations using its own backups, effectively gaining nothing from the exchange.

The risk of double-pronged attacks that both scramble a network and also exfiltrate information are becoming increasingly common with ransomware operators. The stolen sensitive information is used as additional leverage to threaten and blackmail the ransomware victim into paying up to not just restore its network but also stop the data from leaking online.

This sort of threat is particularly nasty when it comes to attacks such as the one targeting Ireland's health services. Patient information is a highly sensitive data asset and may contain a number of highly personal and sensitive details that can really cause major problems if it all leaks online.

Ireland's HSE is proceeding relatively slowly with restoring its systems. According to a report by ZDNet, only 2,000 of a total of 80,000 devices have been restored to working order and are online. The country's minister of health reassured the population that "hundreds of people" are working around the clock to get everything back in order, but even according to his words, it might be "weeks" before every single subsystem is up again.