By Louise O’ Sullivan, ICT Security Services Manager at HEAnet
In May 2021, Ireland was subjected to an unprecedented ransomware attack on its full healthcare system. The HSE (Health Service Executive) systems were targeted with Conti ransomware which saw many of the HSE’s systems encrypted. This type of ransomware is designed to be operated by an attacker, rather than through an automated process. It is thought the attack originated from a phishing email.
This attack caused significant levels of disruption for the HSE necessitating many hospitals having to revert to pen and paper, with the majority of appointments being cancelled. It was reported that there is the potential that patient, staff or administrative data was compromised. It should be noted that no ransom was paid and a week after the initial attack the decryption key was provided. As the attack was so large the NCSC of Ireland, An Garda Síochána and the army were involved in the response.
As this attack affected so many people within Ireland, cybersecurity became the new topic of conversation, even more so as this attack was happening during the current COVID-19 pandemic. We at HEAnet found our clients requirements for awareness training on ransomware increase drastically within the months that followed.
Following this attack, the ICT Security Services team at HEAnet observed the following key learnings:
- Real-life examples
Continued Security Awareness Training using real-life examples relevant to the industry you work in really informs the attendees.
- Phishing emails
It is imperative to know what phishing emails are and the key elements that will identify this type of email. This is one of the main ways in which ransomware enters an organisation.
- Ransomware playbook
The importance of implementing an incident response plan including a ransomware playbook. This playbook is a valuable resource as it will determine the steps to follow in the attempt to recover any affected system of ransomware.
- Understanding ransomware
It is also extremely important for any institution to understand how ransomware can enter a network. Below is an outline of the common approach a ransomware attack may take.
|Distribution Campaign||Attackers use techniques like phishing emails and weaponised websites to trick or force users to download a dropper which is the beginning of the infection.|
|Malicious Code Infection||The dropper contacts the attacker’s malicious site and downloads an executable that installs the ransomware itself.|
|Malicious Payload Staging||The ransomware sets itself up, it does this by embedding itself in the system.|
|Scanning||The ransomware searches for content to encrypt, both on the local computer and any accessible network resources.|
|Encryption||Files are encrypted, the ransomware typically attacks backup files and folders so that they cannot be used to recover the data.|
|Payday||A ransom note is generated, the victim would receive instructions on how to pay the ransom (usually in bitcoin). Victims are usually given a few days to pay the ransom after which the price will increase.|
Based on our observations, the ICT Security Service at HEAnet has now included more information around ransomware and its prevention in Security Awareness Training. The service is also currently holding a number of workshops on ransomware from a technical perspective.
To conclude, the healthcare system ransomware attack in Ireland has brought immense focus on cybersecurity not only for the government but all businesses, colleges and organisations within Ireland. It highlights the need for us to try and work in a more proactive capacity rather than a reactive approach to cybersecurity and its threats.
Louise is the ICT Security Services Manager at HEAnet; Ireland’s National Education and Research Network for the past four years. She holds both a degree and Masters from NUI, Galway and is a certified CISA auditor and Lead ISMS Implementer. Her background is primarily in IT Audit, Security consulting and Cyber Security working in companies including Deloitte, AON and PwC.
Article originally posted on connect.geant.org