Hackers Offer Decrypt Key to Irish Health Service With a Catch

A day after threatening to publicly release patient data, the hackers who targeted Ireland’s health service offered a decryption key that they said could be used to unlock computers infected with ransomware.

While seeming to offer an olive branch -- sharing a link to download the decryption key -- the group reiterated its threats to disclose patient data unless Irish authorities paid the $20 million ransom demand.

”We are providing the decryption tool for your network for free,” the hackers said in the message posted on Thursday, which was reviewed by Bloomberg News. “But you should understand that we will sell or publish a lot of private data if you will not connect us and try to resolve the situation.”

The cybersecurity group MalwareHunterTeam, and the computer security website Bleeping Computer, each said they had verified the decryption key was legitimate and could be used to unlock the files of Ireland’s Health Service Executive. But the disclosure of the decryption key is unlikely to mean the end of the disruption.

Irish authorities said they were aware of the decryption tool and were conducting a technical review to ensure its integrity and to “ensure that this tool would support restoration of our systems and rather than cause further harm.”

“Every effort is being made to restore important aspects of the HSE’s IT infrastructure as soon as possible and the focus remains very firmly on restoring medical services for the many thousands of patients in need of them,” the government said in an emailed statement.

“It is to be emphasized that the Government has not paid a ransom and will not pay a ransom in respect of this crime,” according to the statement. “This has been the firm position of the Government from the outset, and it will continue to maintain that position.”

A health ministry spokeswoman said in a text message that it wasn’t yet clear what personal data, if any, had been stolen from the ministry’s systems. She said a mapping exercise is underway to determine the potential risk to individuals should any data be disclosed online, and the department is also developing a protocol to communicate with individuals if personal data is affected.

As a precaution, she said, the ministry is encouraging stakeholders to be on the lookout for suspicious activity around their personal data.

Brian Honan, head of Ireland’s Computer Security Incident Response Team, said whether the encryption key works or not, hospitals and other affected organizations “will still have to restore all their systems step by step.”

“Otherwise they have no guarantee that a backdoor or other malicious piece of code has been left on their systems by the criminals to enable them to get back in again at a later date,” he said. Honan added that the situation was “still quite serious. Many systems are still offline as the response teams work they way through restoring affected systems.”

The online messages from the hackers show that they demanded $19,999,000 in payment; that figure couldn’t be confirmed with Irish authorities.

Last week, Ireland’s hospitals were forced to shut down many of their computers after the hackers gained access to the health service’s systems, encrypted patient data so that it was inaccessible and demanded payment to unlock the files.

The incident has paralyzed some hospitals, resulting in the cancellation of services including some cancer patients’ consultations and disrupting radiology and diagnostic systems. Hospital staff have been carrying out much of their work using pen and paper instead of their computers. Emergency rooms are open but dealing with significant delays due to the fallout from the attack.

In an online message sent on Wednesday and reviewed by Bloomberg News, the hackers told representatives of the country’s Health Service Executive that if they couldn’t reach an agreement soon, ”we will start to sell and publish your data” on May 24. Previously they had threatened to release the data “very soon.”

The attack in Ireland comes on the heels of several high-profile ransomware attacks in the U.S., including a breach of Colonial Pipeline Co. that squeezed fuel supplies along the East Coast, leading to higher prices and long lines at gas stations. A separate attack on Scripps Health in San Diego has slowed the pace of care and forced the diversion of some patients to other facilities, according to the San Diego Union-Tribune.

In ransomware attacks, hackers encrypt a victim’s computer files and then demand payment to unlock them. Some ransomware gangs now steal victims’ files too and threaten to publish them if payment demands aren’t met, a type of double extortion.

The hackers who targeted the Irish health service call themselves the “ContiLocker Team” and use a strain of ransomware known as Conti to break into victims’ computers and extort payments. Conti usually publishes stolen documents on its website on the dark web when a victim refuses to pay.

The group is also known as “Wizard Spider.” According to the security firm CrowdStrike Holdings Inc., Wizard Spider is a Russian criminal group that has become increasingly pervasive in the last year. A CrowdStrike report published in October described Wizard Spider as an “established, high-profile and sophisticated” group, which “has made significant improvements to their arsenal recently and has both developed new tools and modified existing ones.”

In online chats reviewed by Bloomberg News, the hackers told representatives of the health service on May 14 that they had “infiltrated your network and stayed in it for more than 2 weeks.” They said they had obtained 700 gigabytes of data, including personal data of patients, employees, contracts, financial statements and payroll details.

Asked to provide proof by representatives of the health authority, the hackers sent a link to a sample of the data they said they had obtained. The sample included 27 files, including patient medical records, notes about a pediatric hematology palliative care meeting, procurement records and other confidential details, according to a list of the files reviewed by Bloomberg News.

The 27 sample files haven’t been published for anyone to freely download on the internet. Rather, cybersecurity researchers obtained copies from the hackers and shared portions of them with reporters.

Ireland’s health service has so far refused to pay any ransom and has said it is working to restore its computers. “This work will take many weeks and we anticipate major disruption will continue due to the shutdown of our IT systems,” the organization said in a statement on Wednesday. “We should start to see some early signs of recovery in some sites over the coming days.”

©2021 Bloomberg L.P.

BQ Install

Bloomberg Quint

Add BloombergQuint App to Home screen.