The Conti ransomware gang did not encrypt the techniques of Eire’s Division of Well being (DoH) regardless of breaching its community and dropping Cobalt Strike beacons to deploy their malware throughout the community.
On the identical day, Conti operators breached the network of Ireland’s Health Service Executive (HSE), the nation’s publicly funded healthcare system, and compelled it to close down all IT techniques to include the incident.
“The Nationwide Cyber Safety Centre (NCSC) turned conscious on Thursday of an tried cyber assault on the Division of Well being,” the Irish Division of the Atmosphere, Local weather and Communications said.
“This tried assault stays beneath investigation, nonetheless there are indications that this was a ransomware assault just like that which has affected the HSE.”
Ransomware execution blocked
In a separate security advisory [PDF], NCSC supplied extra technical particulars on the assault and confirmed the hyperlink between the 2 incidents saying that the 2 “assaults are believed to be a part of the identical marketing campaign concentrating on the Irish well being sector.”
The NCSC was alerted of doubtlessly suspicious exercise on the Division of Well being’s community on Thursday afternoon.
Investigators found Cobalt Strike beacons deployed on the community, a instrument generally utilized by ransomware gangs to deploy their malicious payloads and encrypt techniques throughout the community.
The following day, at 07:00 AM, a human-operated Conti ransomware assault disabled a few of HSE’s gadgets, forcing the well being service to close down its total IT infrastructure to restrict the impression.
Across the identical time, a second Conti assault trying to execute ransomware payloads to encrypt the techniques of Eire’s Division of Well being was blocked by anti-virus software program and the instruments deployed by investigators the day earlier than.
‘The Division of Well being has applied its response plan together with the suspension some features of its IT system as a precautionary measure,” the Irish authorities added.
The NCSC additionally confirmed BleepingComputer’s report that the ransomware pattern used throughout these assaults appends the .FEEDC extension to encrypted information.
HSE won’t pay Conti’s $20 million ransom
After the HSE ransomware incident, the Conti gang claimed to have had entry to HSE’s community for over two weeks and that they had been capable of steal 700 GB of unencrypted information, together with worker and affected person data, monetary statements, payroll, contracts, and extra.
In addition they mentioned that HSE would need to pay a $19,999,000 ransom for Conti to delete all of the stolen information from their servers and supply a decryptor.
Despite the fact that the incident has led to widespread disruption affecting Eire’s healthcare companies, Taoiseach Micheál Martin, the Prime Minister of Eire, said that the HSE wouldn’t be paying any ransom.
Conti shares code with the notorious Ryuk Ransomware, whose TrickBot-powered distribution channels they took over after Ryuk exercise dwindled round July 2020.
Beforehand, Conti ransomware additionally hit the Scottish Environment Protection Agency (SEPA), leaking roughly 1.2 GB of stolen information on their dark web leak site.