Two national entities within the Irish Health System have been brought to a halt by a large-scale infection of Conti Ransomware. The entities in question are the Health Service Executive (HSE) and the Department of Health. The HSE facilities all public healthcare procedures within the Irish state, including some social services to an extent. The Department of Health is the healthcare department of the Government of Ireland, overseeing all public and private healthcare affairs. The attack on the HSE was the first of the two to be announced on Friday, though the attack was detected on Thursday. While the second attack was announced publicly on Sunday, it is believed to have occurred simultaneously.
The HSE immediately took its systems offline upon detecting the Conti ransomware infection. “We have taken the precaution of shutting down all our IT systems in order to protect them from this attack and to allow us fully assess the situation with our own security partners,” a spokesperson said.
The National Cyber Security Centre had been made aware on Thursday afternoon of potentially suspicious activity on the government network. “Preliminary investigations indicated suspected presence of cobalt strike Beacon, which is a remote access tool,” it said.
“Cobalt strike is often used by malicious actors in order to move laterally within an environment prior to execution of a ransomware payload.”
At about 7am on Friday morning, the center was made aware of a “significant incident” affecting HSE systems.
The NCSC said it had circulated advice to constituent organizations after further analysis of the cyber attack. In a report late on Sunday night, the NCSC said the cyber-attacks “are believed to be part of the same campaign” targeting the State’s health sector.
The main crux of the problem for the HSE is that its core patient system, and its radiation diagnostic system ‘Nimis’, are down.
HSE Chief Operations Officer Anne O’Connor gave a general overview of what had been canceled, including: X-ray appointments, pediatric services, and hospital outpatient appointments in the west were more severely affected.
O’Connor said that the voluntary hospitals – including the Mater, Beaumont, James’, Vincent’s, Tallaght, Mercy and South Infirmary – operate on a different IT system, so that they were impacted, but not as severely.
Hospitals in the West – Donegal, Sligo, Mayo, and Galway – have cancelled all outpatient appointments. The same is the case with children’s health appointments: Crumlin, Temple Street, and Tallaght have cancelled appointments.
Almost all radiation appointments, including X-ray, MRI, and CT scans, have been cancelled, as computers are needed to assess scans.
The child and family agency Tusla has also been impacted by the attack. Over 90% of the agency’s connectivity, databases and operating systems are on the HSE platform.
Tusla CEO Bernard Gloster explained that the agency’s main casework in child protection, welfare and children in case work is hosted on the National Childcare Information System (NCIS).
“All the case management information is on that system and that system is currently not available to us. It was switched off as part of the HSE containment, correctly, on Friday morning,” Gloster said.
Gloster said Tusla has about 20,000 cases open between child protection, welfare, and children in care. Those case files are located on the NCIS system, and as a result, are not currently available to Tusla.
Cybersecurity researchers with BleepingComputer managed to get a hold of a screenshot of the ransom note, which is now circulating in security circles.
In the screenshot, the Conti gang claims to have had access to the HSE network for two weeks. During this time, they claim to have stolen 700 GB of unencrypted files from the HSE, including patient info and employee info, contracts, financial statements, payroll, and more.
Conti further stated that they would provide a decryptor and delete the stolen data if a ransom of $19,999,000 is paid to the threat actors.
It is also believed that the hackers behind Conti Ransomware shared a sample of the stolen documents in the chat. This has not been confirmed, but similar tactics have been seen in numerous ransomware attacks in the last 12 months.
In a press statement, Taoiseach Micheál Martin, the Prime Minister and head of government, said the state will not be paying the ransom at this time.
The Conti ransomware operation is believed to be run by a Russia-based cybercrime group known as Wizard Spider.
This group uses phishing attacks to install the TrickBot and BazarLoader trojans that provide remote access to the infected machines.
Other high-profile ransomware attacks conducted by Conti in the past include FreePBX developer Sangoma, IoT chip maker Advantech, Broward County Public Schools (BCPS), and the Scottish Environment Protection Agency (SEPA).
In a statement early Tuesday, the Russian Embassy in Ireland condemned the Conti Ransomware attack.
While cybersecurity attacks are inevitable, a lot must be said for preventive measures, in which the Irish Government failed to consider. The budget for the NCSC is €5 million with a staff of 24, while the HSE receive a budget of €20,623 billion. The NCSC has not had a director for over 12 months as the job cannot be filled – The salary is €89,000 per annum. Governments who do not take cybersecurity seriously are doomed to suffer from massive cyberattacks, such as Conti ransomware.
Conti Ransomware Analysis
Note: The Analysis of Conti Ransomware was carried out by researchers at Vipre Labs.
Conti ransomware encrypts the files of their victims and publishes the data on their website similar to what other strains do. This extortion behavior is visible on their ransom note saying “We’ve downloaded your data and are ready to publish it on our news website”.
When executed, it will start to encrypt files and change the file extension of the encrypted files to .ODMUA. Like other ransomware, it will leave a ransom note that has a filename “readme.txt”.
The Conti ransomware website has an instruction on how to upload the README.txt for the decryption and a contact button at the bottom left of the page. Once you click the contact button, a form will appear where you will provide your contact information and question as shown below.
Conti ransomware will perform a known malware technique called process hollowing. It is where the malware will create a process in a suspended state, unmaps or removes the PE image layout from a given process space using ZwUnmapViewofSection function, write it’s malicious code using WriteProcessMemory, set a new entry point using SetThreadContext, and resume the execution of the suspended process using the ResumeThread function.
Upon research, we found out that the use of -p argument is to encrypt a specific directory with a single thread and the -m argument is to encrypt the files with multiple threads. It means that Conti ransomware has a multi-threading capability. Multi-threading is where main ransomware creates child threads to speed up the encryption.
It will use a string “hsfjuukjzloqu28oajh727190” that was decrypted using the decryption of string routine mentioned above for creating a mutex using CreateMutexA function. Then check if there’s an already running mutex. This was commonly used by ransomware to avoid infecting the system more than once.
It will also delete all the shadow volume copies on the infected system to ensure that the victims won’t be able to recover their encrypted files.
After deleting the shadow copies, Conti ransomware will now start its file encryption by first creating the ransom note which will be first drop in C drive using “CreateFileW” and write the content of its ransom note using “WriteFile”.
As with other ransomware, it will utilize the functions “FindFirstFileW” and “FindNextFileW” to find the files they will encrypt. Conti ransomware has a list of files/file extension and directories which will be excluded for the infection.
When Conti finds the file to be encrypted, it will now generate keys that will be used to encrypt the files. It will used the handle returned by calling the function “CryptAcquireContext” that request a cryptographic context from the Microsoft Enhanced Cryptographic Provider, then the “CryptGenRandom” function to generate cryptographically random bytes, and “CryptEncrypt” function. It leverages AES 256 encryption for their infection.
Then it will open the target file using the “CreateFile” function and retrieve the size of the target file using “GetFileSize”. After this the malware will decrypt different file extensions and check if the file extension of the targeted file is in the list.
Conti ransomware will not just encrypt the files of the infected machine but also spreads and infects the other machine on the same network using SMB protocol.
Attacks like the Conti Ransomware campaign show that cyberattacks are increasing at an exponential rate, and both government and business leaders are underprepared to face the fallout of an attack. There are several tools internet users should use to increase their online protection. One of these tools is SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.