On May 14, the management of the Irish Health Service (HSE) suffered a major ransomware cyber attack. The hit took place in the early hours of the morning and caused such an impact that the institution was forced to temporarily shut down its IT systems until it could be resolved. This situation caused numerous problems in its service delivery and medical care.
First, all appointments on that day, with a few specific exceptions (women 36 weeks pregnant or more) were cancelled. In addition, during these hours a lot of information for patients already admitted had to be recorded manually on paper. Although the vaccination schedule for COVID-19 was not particularly affected, there were delays in receiving test results. Perhaps the serious impact was that some oncology and radiology services in several hospitals also had to be interrupted.
Given the consequences of the incident, it is not surprising that the head of the HSE described it as the most significant cyber crime attack on the Irish state. Shortly after the incident, Taoiseach (Irish PM) Micheál Martin assured that they would not give in to the hackers’ demands and pay a ransom.
This did not stop the group of hackers’ plans, as they later posted online a first sample of clinical data of 12 patients and later, at the end of May, the data of another 520 patients. But do we know which ransomware was used and who was responsible?
Security forces and analysts were quick to identify it as Conti, a ransomware tool designed by the Russian-based Wizard Spider group which it offers its affiliates under a RaaS (Ransomware-as-a-Service) model. Generally, the attack vector comprises phishing emails containing Google Docs links, which, if a user clicks on them, download the tool's loader onto systems. Once executed, it locks all systems with AES-256 encryption.
Backups, upgrades, best practices and comprehensive endpoint protection
The information about Conti that we have just shared is taken from another public health service, namely the digital and technology section of the UK's NHS. Conti is already well known for its activities against organizations in this sector. Considering the damage it can cause as it has done in Ireland, institutions and healthcare facilities clearly need to have a proactive cybersecurity strategy in place, in coordination with their managed service provider (MSP), to be prepared for such incidents. This strategy should include measures such as:
Backups of all systems: They should be stored frequently, in multiple locations and some of them completely offline.
Good cyber security practices: It is often said that people are the main firewall but also a key factor that hackers often exploit through deception and social engineering. If staff are sufficiently aware of the threats, they are less likely to open emails or links in emails that look suspicious, as was the case with Conti.
Updates: Another entry point for ransomware are the vulnerabilities in operating systems, and third-party software such as Java, Adobe, Firefox, etc. It is therefore necessary for everyone to have the latest security updates as far as possible.
Comprehensive protection at the endpoint: Notwithstanding, the above measures alone are not enough given the increasing number and sophistication of cyber attacks today. MSPs need an advanced threat prevention, detection and response service at the endpoint that offers comprehensive protection, based on a total distrust of any code, no matter how legitimate it may appear. WatchGuard EPDR (Endpoint Protection Detection and Response) addresses that need, with its Zero Trust Application Service and Threat Hunting Service included at no extra cost. In addition, it is integrated with other cybersecurity solutions in the WatchGuard Cloud to form a unified cybersecurity platform that allows our MSPs to manage network, endpoint and multi-factor authentication security from a unified console, providing multi-layered protection for customers, which facilitates management.