| 16°C Dublin

deadline nears Hackers may have handed over key to unlock HSE files to show they 'can be trusted'

Gang has given the HSE a deadline of Monday to pay a €20m ransom or it will start selling off the data it stole


Stock image

Stock image

Stock image

The ransomware gang behind the HSE attack may have provided the decryption tool to unlock the files as a PR strategy to show they are “reliable” to future targets and to criminals who may buy the stolen data, a senior malware threat analyst has said.

The gang has given the HSE a deadline of Monday to pay a €20m ransom or it will start selling off the data it stole from the HSE to the highest bidder on the darkweb.

The attack is believed to be the work of a Russian-speaking cyber criminal group known as Wizard Spider using ransomware known as Conti which at present can't be decrypted without a cryptographic key.

The Irish government has said it has no intention of paying the ransom demand so it is now likely the data will start appearing online from Monday.

The group also encrypted the HSE data but this week said they were giving the cryptographic key to the HSE for free as a show of good faith.

Kelvin Murray, a Dublin-based malware threat analyst with cybersecurity software firm Webroot, has said the gangs involved in such attacks are very conscious of PR.

“The group behind these Conti attacks has been in operation for years and has been reported by many different sources to be Russian. The days of hackers in basements are long gone. Cyber criminals these days are totally professional.

“The gang in question are very PR savvy because they have to be.

“They negotiate publically with their victims. This involved shaming them for not paying in time and putting pressure on their stakeholders, maybe the patients with stolen data in this case, so that they can pressure the victim. They also need “trust” in that people might think they are bad but not so bad they won’t keep their word.”

He said they needed good PR for their potential customers who are criminal gangs who trade in stolen information in the darkweb and use it for various crimes.

“If their victim doesn’t pay they will go onto the darkweb and sell the stolen data. Stolen medical records for example are worth ten times more than stolen credit cards on the darkweb. They can be used to commit insurance fraud, get drugs, commit identity theft, all sorts. That data if leaked will cause problems for people for years.

“The criminals online buying this data need to trust them and that’s one reason why they are conscious of PR.”

Sunday World Newsletter

Sign up for the latest news and updates

This field is required This field is required

He said that criminals behind the Conti ransomware are involved in a “cartel” which is akin to a “criminal affiliate programme”.

“They will rent out their ransomwares, criminal knowledge and infection distribution tools to other gangs in return for a 20pc or so cut on what those gangs do. Conti hits massive targets on purpose to really sell their brand of crime. They make a fortune off these lower level crooks that attack small to medium businesses, schools etc. Although these attacks never make the news this is where the vast majority of criminal money is made. They need good faith and PR in this community too.”

Mr Murray said it is unlikely the gang will ever find themselves before an Irish court over the attack.

“Finding out the operators wouldn’t be impossible. Gang leaders have been unmasked by IT investigators before. However, these criminals likely operate in a country that doesn’t prosecute cyber-crimes on foreigners and even if they did arrest them there’s little chance they would get extradited to sit in an Irish court.”

He said the HSE should now look to health services in other countries for guidance on how to make their data more secure against further attack.

“Hospitals and health services are complicated and very hard to manage, never mind secure. An average hospital room can have between 15 and 20 medical devices and thousands of staff, each a risk.

“On the ground level the HSE need to do better with things like upgrading machines to Windows 10, but the top level is where the real change needs to happen. Hospitals have been a favourite target for these gangs for years so management should have known this was coming. After the NHS was ruined by the WannaCry cyberattacks in 2017, they opened up NHS digital who vastly improved the security culture in the huge state body. Their experts now travel the globe teaching other health services so perhaps we could ask our neighbours for a hand.”

He added that many Irish state organisations are vulnerable to attack.

“The police services in America have been under siege by ransomware gangs for years and I would imagine the Guards will be in the headlines next. The Irish education sector has very poor security practices and teachers were thrown into remote teaching during the pandemic without the basic training or equipment so this will certainly make the headlines soon too.”

He said ransomware attacks have significantly increased in both frequency and scale in recent years.

“When ransomware appeared on the scene 8 years ago the ransoms charged were about €100, now the average amount being charged is upward of €150,000. It is a huge criminal industry and the crooks know they can operate without ever facing justice.”

While the average ransom demand now is around €150,000 the average cost to a business recovering from a ransomware attack is around €1.5m.

Industry estimates put the costs associated with ransomware at $325m (€266m) in 2015 and some estimates claim the true cost of disruption to businesses could be $20bn (€16.4bn) a year globally by the end this year.

The true cost can be hard to determine as many businesses targeted in the attacks do not publicise that they were targeted and have paid the ransom demands.

The US Treasury warned businesses there last year that they could be breaking the law by paying ransomware demands.

Download the Sunday World app

Now download the free app for all the latest Sunday World News, Crime, Irish Showbiz and Sport. Available on Apple and Android devices