[BreachExchange] 'Wizard Spider' cybercrime gang claim HSE attack spinning web of chaos over Ireland

Destry Winant destry at riskbasedsecurity.com
Wed May 19 10:49:27 EDT 2021


https://www.dublinlive.ie/news/dublin-news/wizardspider-cybercrime-group-hse-attack-20620163

Hackers known as Wizard Spider are spinning a web of chaos since it
launched a ransomware attack on the Health Service Executive last week.

The Russian hackers have claimed responsibility for the most serious ever
cyberattack on Ireland's critical infrastructure.

The group, who are seeking ransom of up to €20 million in cryptocurrency,
are not motivated by terrorism or espionage and only want money.

Wizard Spider has been carrying out ransomware attacks against state
bodies, commercial corporations, healthcare facilities and hospitals since
August 2018.

They have made millions from ransom demands and are a target of the FBI,
the UK’s National Crime Agency, Interpol, Europol and now the Garda
National Cyber Crime Bureau.

The gang has recently begun using malware known as Conti.
Conti is a form of "double-extortion" ransomware, meaning that as well as
holding access to systems and encrypting files to ransom, it can also steal
information stored on the system.

Conti ransomware was first detected last July and described at the time as
containing unique features, notable among them offering faster encryption
than other types of ransomware.

Conti ransomware is also said to be a successor to the better-known Ryuk
ransomware.

The criminals behind the Conti ransomware allow other hackers to use it for
a share of any ransom payment made using the ransomware code.

Wizard Spider has also outsourced attacks to other criminal gangs in
exchange for a share of the ransoms that are paid.
However, most of the ransomware originate in Russia and those hackers are
suspected of the Irish attack.

It's not yet known exactly how the Wizard Spider hackers gained access to
the HSE's IT system.

The criminal cyber attackers had inserted malware and left a digital ransom
note by the time the HSE realised it had been targeted on Friday morning.

The note contained a link with an invitation to "chat" with the criminals
on the Darknet with a view to paying a ransom to get the data back.

Both the HSE and the Government said it will not pay a ransom.

The HSE has shut down its systems and brought in specialists to carefully
go through each part of its network to find the malware, block malicious
domain names and ultimately restore the data.

This process could take weeks, if not months.

The HSE is the latest in a long list of victims targeted by Wizard Spider.

The Scottish Environmental Protection Agency was targeted by Wizard Spider
last Christmas Eve.

The hackers stole more than 4,000 files. SEPA refused to meet their ransom
demand and the files were published on the Dark Web.

Terry Ahearn, Sepa’s chief executive, said: “It was clear once we worked
with other partners that the right thing to do was not to pay the ransom.

“That had some implications, but I just think the idea of using public
money to pay the criminals a ransom is not an easy thing to do.”

The ransomware attack ultimately cost taxpayers £800,000, as SEPA spent
£458,000 on stabilising its business IT platform as well as file recovery.

Last month, a school district in Florida was a previous target of Wizard
Spider.

Broward County Public Schools, the sixth largest school districts in the
United States, was hacked and a ransom of $40 million in cryptocurrency was
demanded.

The hacker gang encrypted data and threatened to erase the files and post
students’ and employees’ personal information online.

However, Broward County Public Schools said there is no indication that
personal information was stolen and that it would not make an extortion
payment to the ransomware gang.

Last December, chip maker Advantech was a victim of Wizard Spider.

The hackers posted company data to its darknet website that it stole during
the ransomware attack.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210519/73f111e1/attachment.html>


More information about the BreachExchange mailing list