The Health Service Executive (HSE), is an Irish government agency responsible for the encouragement, regulation and enforcement of workplace health, safety and welfare, and for research into occupational risks in Great Britain, was hit by a ransomware attack on May 14. The hackers stole 700 MB of patient data and have already published some of it on the Dark Web. They’ve demanded more than $20 million to refrain from publishing more data. 

The fear now is that scammers unrelated to the HSE attack will buy the data for their own nefarious use. Already, HSE is facing regulatory fines as the result of GDPR and may face lawsuits from victims whose personal data was published online.

The Facts

On May 14, HSE experienced a Conti ransomware attack that caused it to shut down all of its IT systems which impacted patient care across the country. Russian cybercrime group Wizard Spider was credited with the attack as well as another unsuccessful attack on Ireland’s Department of Health, also on May 14.

After discovering the breach, HSE shut down all its IT systems to control the extent of the damage and to enable forensic work. It also contacted the National Cyber Security Centre (NCSC) which is investigating the matter with the help of the Government Chief CIO and third-party contractors. Their preliminary investigations indicated the suspected presence of cobalt strike Beacon, which is a remote access tool bad actors use to move laterally within an environment prior to the execution of a ransomware payload.

Ireland’s Minister for Public Expenditure is working with Europol, Interpol and other international partners on the case. Meanwhile, a High Court injunction has been issued to stop the release of data (and to underscore the fact that posting such information is illegal). Social media companies have agreed to take down any illegally posted content they discover. 

HSE has refused to pay any ransom since the attack began, even though some information was published on the Dark Web within days (reports vary from May 19 to May 24). The data reportedly included internal health service files, minutes of meetings, equipment purchase details and correspondence with patients. Wizard Spider is now demanding more than $20 million if HSE wants to prevent more patient PII from being leaked. 

Some Irish hospitals are now able to store scan results and patient administration details, though other parts of the system will reportedly take weeks to restore. Digital radiology systems are back up at only two hospitals so far. An estimated 50,000 patients were impacted during the first week alone.

Apparently, the hackers gave HSE a decryption key, although the reason for that is unknown. Now, HSE is trying to decide which systems it should bring back online, which should be retired and which should be rebuilt. 

NCSC issued an advisory on the attack in hopes of helping other organizations detect or avoid a similar attack, although the document is a work in progress. In the meantime, HSE is apparently adding more expertise to its IT organization.

Quick Tips

The NCSC published the following three-prong approach to incident response (which are collectively Step 3 for the NIST and SANS frameworks):


  1. Isolate domain controllers.
  2. Block egress to the internet. 
  3. Create clean VLANs for rebuild and recovery operations. 
  4. Block malicious IPs and domain names. 
  5. Protect privileged accounts. 
  6. Harden endpoints.


  1. Wipe, rebuild and update all infected devices. 
  2. Ensure antivirus is up to date on all systems. 
  3. Make sure all hardware devices are patched and up to date. 
  4. Use your offsite backups to restore systems – before restoration take steps to ensure your backups have not be exposed to malware


  1. Restore endpoints. 
  2. Re-image devices, if required, 
  3. Re-set credentials.
  4. Re-Integrate quarantined systems. 
  5. Restore services. 

NCSC also recommends monitoring of the network for further suspicious activity. Particular attention should be placed on activity related to pre-cursor malware that may have pre-empted ransomware attack (IcedID/BazarLoader/Trickbot etc.).

The Hidden Wiki 2021


Leave a Reply

Your email address will not be published. Required fields are marked *