Insides on Ireland's health service executive ransomware case in May 2021

Sicherheit (Pexels, allgemeine Nutzung)[German]In May 2021, there was a ransomware attack on Ireland's Health Service Executive (HSE). PricewaterhouseCoopers recently provided an analysis of what went wrong. Below I briefly compiled the findings of the investigation from that case.


The IT of Ireland's state-run healthcare system, Health Service Executive (HSE), was successfully attacked by the Conti Ransomware group on May 14, 2021, officials admitted on Twitter.

Ransomware on Health Service Executive (HSE

PricewaterhouseCoopers recently provided analysis of this ransomware case in the form of a findings report Conti cyber attack on the HSE (PDF). As a result of the attack and the actions taken as a result, the Irish healthcare system lost access to HSE IT, causing clinics and ambulance services to go into emergency mode. The anatomy of this ransomware attack is interesting, starting from a workstation referred to as Patient Zero.

  • The cyberattack began on March 18, 2021, with the malware infecting an HSE workstation (the Patient Zero Workstation). This malware infection was possible because the user of this workstation opened a malicious Microsoft Excel file that was included in the attachment of a phishing email. This mail had been received by the user on March 16, 2021.
  • After gaining unauthorized access to HSE's IT environment on March 18, 2021, the attacker moved laterally across HSE's IT network over a period of eight weeks. In the process, he compromised a significant number of high-privilege accounts (typically accounts used to perform administrative tasks), infected a significant number of servers, and began exfiltrating data and propagating the IT systems of statutory and privately operated but HSE IT-affiliated hospitals.

The incident was not detected and countered with countermeasures until the Conti ransomware became active on May 14, 2021, causing widespread IT disruption by encrypting data. The tragedy of this case is that there were even two security tools that noticed the intrusion without drawing the right conclusions. Here are some details from the report:

  • On March 31, 2021, the HSE's used antivirus software detected the execution of two software tools – Cobalt Strike and Mimikatz – commonly used by ransomware groups, on the Patient Zero workstation. However, the antivirus software was set to monitoring mode, so it did not block the malicious tools.
  • On May 7, the attacker penetrated HSE's servers for the first time, and over the next five days, the intruder compromised six HSE hospitals.
  • On May 10, one of the hospitals discovered malicious activity on its Microsoft Windows Domain Controller, a critical component of any enterprise Windows network that manages user authentication and network access. That led to initial activity.
  • On May 10, 2021, security auditors first found evidence that the attacker had compromised systems at Hospital C and Hospital L. The attacker's antivirus software was also compromised. Hospital C's antivirus software detected Cobalt Strike on two systems but failed to quarantine the malicious files.
  • On May 13, the antivirus software vendor sent an email to HSE's security team highlighting unhandled threat events dating back to May 7 on at least 16 systems. The HSE Security Operations Team requested that the server team reboot the servers.

Going through the timelines above (see also the following image), the measures were already way too late on May 13, 2021, and on May 14, 2021, the Conti gang triggered the encryption by the ransomware. The successful attack resulted in an almost complete shutdown of the HSE's national and local networks and disruption of service at several clinics and health services. The number of appointments dropped by 80%.


Irish HSE Conti Ransomware case timeline
Irish HSE Conti Ransomware Case Source: PricewaterhouseCoopers

It should be noted that nearly two months elapsed between the initial infection and the triggering of the encryption, during which time the attackers were able to move around the HSE's IT network undetected. It was also discovered that tens of thousands of Windows 7 systems were present in the affected hospitals (whether they were patched is unclear). But HSE IT administrators failed to act on several warning signs that a massive attack was imminent.

Thus, fate took its course. The Conti Group initially demanded a $20 million ransom in cryptocurrency in exchange for the digital key to decrypt the compromised HSE servers. After the case became public and there was an outcry from the public, the Conti gang gave the HSE the decryption keys without paying a ransom. The cost of restoring the HSE IT system is estimated at around 530 million euros. Details can be found in the Conti cyber attack on the Conti cyber attack on the HSE (PDF). Brian Krebs has published some abridged version with further details in this post

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *