Conti ransomware gang also breached Ireland Department of Health (DoH)

Conti ransomware also breached the network of Ireland’s Department of Health (DoH) but the ransomware failed to encrypt the systems.

Last week, Conti ransomware gang targeted the Ireland’s Health Service Executive that was forced to shut down its IT systems on Friday after being targeted with a significant ransomware attack. The Health Service Executive opted to shut down its infrastructure as a precaution to avoid the threat from spreading.

Researchers from BleepingComputer revealed that the Conti ransomware gang demanded a $20 million ransom.

In a separate attack, the ransomware gang also breached the network of the country’s Department of Health (DoH) but failed to encrypt the systems of the organization. The DoH shut down its networks to avoid the threat from spreading, at the time the operations have yet to be fully restored.

Once compromised the network, the Conti ransomware gang dropped Cobalt Strike beacons to spread their ransomware.

“The National Cyber Security Centre (NCSC) became aware on Thursday of an attempted cyber attack on the Department of Health. The Department of Health has implemented its response plan including the suspension some functions of its IT system as a precautionary measure. This attempted attack remains under investigation, however, there are indications that this was a ransomware attack similar to that which has affected the HSE.” reads an update published by the Irish Department of the Environment, Climate and Communications.

“As the investigations into both incidents are ongoing, it is not possible to make further comment on the nature of these attacks at this time.”

The National Cyber Security Centre (NCSC) also published an alert titled “Ransomware Attack on Health Sector” that included technical details on the attack. Government experts speculate the two attacks are part of the same campaign targeting the Irish health sector.

“On 14/05/21 the Health Service Executive (HSE) was impacted by a Ransomware attack which has affected multiple services on their network. The NCSC along with the HSE and partners are currently investigating this incident and an Incident Response process is ongoing.” reads the alert. “Malicious cyber activity was also detected on the Department of Health (DoH) network early on Friday morning (14th May 2021), however due to the deployment of tools during the investigation process an attempt to execute ransomware was detected and stopped. These attacks are believed to be part of the same campaign targeting the Irish health sector”

The NCSC also provided indicators of compromise (IoCs) associated with the attacks.

Preliminary investigations conducted by the government experts revealed that the suspected presence of Cobalt Strike Beacon that was used by threat actors to gain remote access to the compromised systems and perform lateral movements within the target network.

At approx 07:00 hrs on 14th May the NCSC was made aware that a Conti ransomware attack that had severely disabled a number of systems, the IT staff shutdown the majority of other HSE systems.

Early Friday morning (14th May 2021) experts detected malicious activity also on the DoH network, but the attack was neutralized by defense software that detect the attempt of deploying hacking tools and the execution of the ransomware.

The malware involved in the attack is Conti Ransomware v3 (32 bit), which attempted to encrypt all files with the exception of the following file names:
– CONTI_LOG.txt
– readme.txt
– *.FEEDC (extension added by Conti Ransomware to filenames of encrypted files)
– *.msi
– *.sys
– *.lnk
– *.dll
– *.exe

Conti ransomware operators run a private Ransomware-as-a-Service (RaaS), the malware appeared in the threat landscape at the end of December 2019 and was distributed through TrickBot infections. Experts speculate the operators are members of a Russia-based cybercrime group known as Wizard Spider.

Since August 2020, the group has launched its leak site to threaten its victim to release the stolen data.

The list of victims of the group includes IoT chip maker Advantech, and Broward County Public Schools (BCPS).

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Department of Health)

[adrotate banner=”5″]

[adrotate banner=”13″]