Expert Comment on Irish Health Service Ransomware Attack

Following the news that Ireland’s health service has closed down its computer systems after a ‘significant ransomware attack’, please see below for comment from security experts.

Notify of

12 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Stephen Bradford
Stephen Bradford , SVP EMEA
InfoSec Expert
May 17, 2021 3:26 pm

<p>Ireland’s health service being closed down due to a ransomware attack signals yet another attack on critical infrastructure. At a time when healthcare has been under immeasurable pressure, it’s clear cyber criminals won’t hold back no matter what disruption is caused.</p> <p> </p> <p>Outdated IT systems stand little chance against these attacks, which are becoming increasingly sophisticated in nature. A simple click on a link or web pop-up is enough to let the hackers in and bring everything to a standstill.</p> <p> </p> <p>Organisations must implement multiple security controls, enlisting the help of technologies such as AI which can help identify vulnerabilities. This is critical to reduce the risk or ransomware and other malicious malware threats.</p>

Last edited 1 year ago by Stephen Bradford
Ilia Kolochenko
Ilia Kolochenko , Founder and CEO
InfoSec Expert
May 17, 2021 2:41 pm

<p><span lang=\"EN-US\">Ransomware gangs are becoming gradually more organized and efficient. They carefully select and purposely target those organizations with no viable choice but to pay the ransom, oftentimes, targeting the most vulnerable organizations and businesses. Untraceable payments in cryptocurrencies grant virtual impunity to the attackers.</span></p> <p> </p> <p><span lang=\"EN-US\">Western law enforcement agencies are largely understaffed and underfunded to tackle the surging wave of ransomware, while legislators rather try to address the consequence rather than dealing with a root cause of the problem such as missing cybersecurity hygiene and ignorance of foundational best practices.</span></p> <p> </p> <p><span lang=\"EN-US\">International collaboration in judicial prosecution and investigation of cybercrime is probably hitting its bottom in 2021 because of the growing political tensions. Eventually, we will probably observe a flat ban of some cryptocurrencies or a regulatory overkill that will push into bankruptcy many crypto stock exchanges and related businesses. Last year OFAC made it crystal-clear that paying a ransom may constitute a violation of sanctions and trigger legal ramifications for the victims who pay criminals to get their data back. Today, the recent probe of Binance, commenced by the US DoJ and the IRS, unambiguously evidences that the US government is serious about curbing now-unregulated crypto markets. Booming ransomware is a perfect reason to justify it. </span></p>

Last edited 1 year ago by Ilia Kolochenko
Anurag Kahol
Anurag Kahol , CTO
InfoSec Expert
May 17, 2021 2:07 pm

<p>Healthcare organisations have been a major target since the start of the pandemic, and as a result need to ensure they take every precaution necessary to protect patient data. Hundreds of hospitals, medical offices, and imaging centres have contributed to over a billion exposed records; Ireland\’s health service, the Health Service Executive, has become one of many.</p> <p><br /><br />The rapid digitisation of patient records means it’s been very difficult to implement consistent data security policies and training schemes to educate staff on keeping data safe. As healthcare organisations make patient data more accessible to individuals and new systems, they must make information security their top priority.</p> <p><br /><br />Strategic investments in cybersecurity will make a significant impact on protecting healthcare businesses against cyber security risks, which will potentially save billions in the long run. To prevent future ransomware attacks and safeguard highly sensitive information, organisations must have full visibility and control over their data. This can be accomplished by leveraging multi-faceted solutions that defend against malware on any endpoint, enforce real-time access control, detect misconfigurations, encrypt sensitive data at rest, and prevent data leakage. What’s more, healthcare organisations need to ensure adequate employee training to protect from ransomware. Employees must be able to identify phishing attempts and illegitimate emails, which is the primary vector for ransomware attacks.</p>

Last edited 1 year ago by Anurag Kahol
David Higgins
David Higgins , EMEA Technical Director
InfoSec Expert
May 17, 2021 1:16 pm

<p>The success of this ransomware campaign is concerning for so many reasons. Previous attacks such as WannaCry in 2017, which cost the NHS £92million and saw 19,000 appointments cancelled, are a stark reminder of the consequences this kind of cyberattack can have. They\’re callous, and what\’s devastating is that they can lead to the loss of life.<u></u><u></u></p> <p><u></u> <u></u></p> <p>Ransomware typically starts on endpoint devices. But, of course, encrypting one device isn’t going to cause sufficient disruption or compel businesses to pay the ransom attackers are after. Instead, they use these devices as a gateway to move throughout the network to encrypt the files, applications and systems that matter most to businesses. This move from the endpoint to the network is integral to attackers’ strategies – and is also the point where healthcare providers can break that chain and prevent these attacks from spreading.<u></u><u></u></p> <p><u></u> <u></u></p> <p>Taking a proactive approach that protects privileged access to those files and systems that matter most is key. This helps stop attackers in their tracks by keeping these events contained to the initial infection point — making them much less effective and minimising the potential damage.</p>

Last edited 1 year ago by David Higgins
Patrick Wragg
Patrick Wragg , Cyber Incident Response Manager
InfoSec Expert
May 17, 2021 1:10 pm

<p>The ransomware variant is reported to resemble “Conti”. This is a ransomware tool that has been in operation since at least December 2019 and is believed to be derived from the “Ryuk” ransomware variant. Conti is often deployed using the “TrickBot” infrastructure. Conti is designed to be operated by the attacker, rather than via an automated process, and it contains unique features that allow a more targeted and quicker attack. Conti’s ransomware operations have targeted a wide variety of sectors globally, which include construction, manufacturing, and retail.</p> <p> </p> <p>We would recommend that businesses increase vigilance of their environment, ensuring firewalls, IDS/IPS and AV solutions are monitored for any malicious activity; servers and applications are patched and consideration is given to disabling external RDP functionality or SMB.</p>

Last edited 1 year ago by Patrick Wragg
Information Security Buzz
Would love your thoughts, please comment.x