In the ransomware attack on the IT systems of the Irish health administration HSE, the blackmail Trojan Conti is said to have been used. The attack was carried out over a “zero-day gap with a brand new variant of the ramsomware Conti”, said HSE chief operations officer Anne O’Connor to the Irish media. A Russian group is said to be behind the attack, demanding a large ransom for the release of stolen data. Meanwhile, the Irish health system continues to grapple with the aftermath of the attack.
The attack was discovered in the early hours of last Friday. HSE then immediately began shutting down around 85,000 computers and 2,000 different systems. This has serious implications for Irish health care. Appointments have been canceled, particularly in radiology and in the care of children and pregnant women. Hospitals that are not directly connected to the HSE systems are less affected.
According to official information, the attack was carried out with the ransomware Conti, which is a further development of Ryuk. Attacks with Conti are usually not highly automated, but are controlled by the perpetrators. They explore the attacked systems, install the ransomware on the computers and look for interesting data, which they then download unnoticed. This can take several days before they trigger the actual ransomware that blocks access to the infected computers.
Alleged excerpts of communication between HSE employees and the attackers are circulating on social media, but their authenticity has not been confirmed. Accordingly, the blackmailers state that they stayed in the HSE’s systems unnoticed for about two weeks and stole around 700 GB of sensitive data in the process. Allegedly, the perpetrators are demanding a ransom of US $ 20 million in Bitcoin. The Irish authorities do not confirm this. Government officials and the HSE leadership have also emphasized that no ransom will be paid.
Russian magic spider
According to previous knowledge, the Russian group “Wizard Spider”, which is related to the splinter groups “Grim Spider” and “Lunar Spider”, is behind the attack. The group was first noticed around 2014 with the malware “Dyre” and was later blamed for attacks with the banking Trojan “Trickbot”. According to investigators, the group of perpetrators located in the Saint Petersburg area is said to have around 80 members.
In the meantime, Trickbot has been expanded into a versatile attack tool that is used, for example, to further research the attacked network and to access access data. With Trickbot, “Wizard Spider” has also expanded its business model and turned to “Big Game Hunting”, the “big game hunting” for particularly lucrative goals.
The group is blamed for, among other things, the latest ransomware attacks on the British fashion chain “Fat Face” and the Scottish environmental protection agency. The Scottish Environment Protection Agency (SEPA) was attacked in December 2020. The perpetrators then published the captured data on the dark web in order to increase the pressure. Nevertheless, SEPA refused to pay. After an attack in January, Fat Face paid a ransom of almost 1.7 million euros.