[BreachExchange] Irish Healthcare System Requires More Than $100 Million To Recover From the Conti Ransomware Attack

[Terrell Byrd]

https://www.cpomagazine.com/cyber-security/irish-healthcare-system-requires-more-than-100-million-to-recover-from-the-conti-ransomware-attack/

The Irish healthcare system will spend over $100 million to recover from
the Conti ransomware attack that devastated the provider in May 2021.

Irish Foreign Minister Simon Coveney described the incident as a “very
serious attack.” Similarly, Irish Minister of State Ossian Smyth claimed it
was “possibly the most significant cybercrime attack on the Irish State.”

Many radiology appointments were canceled, while delays were experienced in
COVID-19 test result reporting and issuance of birth, death, and marriage
certificates, according to the RTÉ and the BBC.

Similarly, the attack affected pediatric services, maternity services, and
outpatient appointments. Conti demanded a $20 million ransom payment in
exchange for the decryptor, but the Health Service Executive (HSE) refused
to pay.

Irish healthcare system bleeding money after the 2021 Conti ransomware
attack

Ireland has already spent $48 million to recover from the attack. The
expenses include $14.2 million for ICT infrastructure, $6.1 million for
external cybersecurity support, $17.1 million for vendor support, and $9.4
million for Office 365 subscriptions.

Additionally, the Conti ransomware attack crashed the HSE’s payment system
affecting 146,000 people working in the healthcare system. Similarly, the
attack shut down 85,000 computers and plunged the healthcare system into
threat hunting mode.

According to RTÉ, the healthcare system will require more funds in the
coming months to fully resolve the impacts of the attack.

HSE’s interim chief information officer Fran Thompson disclosed the
enormous funding request in a letter addressed to Aontú party leader Peadar
Tóibín. Thompson projected that the cost could exceed $100 million,
excluding PWC’s recommendations.

“The HSE forecasts that the overall cost could be in the region of €100
million and further to this, the implementation of the recommendations of
the PWC report into the Conti will require a separate investment case which
is being commissioned by the HSE.”

Additionally, Mr. Tóibín suggested that the government consider other costs
like health impacts, lives lost, and inconveniences caused when patients’
appointments were canceled.

Ransomware attacks are usually expensive and carry additional costs like
reputational damage. It could take several years to recover the technical
debt, according to Brett Callow, a threat analyst at Emsisoft.

Callow notes that some of the expenditure is “catch-up spending” to address
the security weakness that enabled the attacks.

However, the healthcare system intends to adopt a multiyear implementation
plan around the required investment to prevent similar attacks.

Usually, the extortion amount reflects the gravity of the attack and the
effort required to restore the system. Consequently, many organizations
prefer to pay the ransom that usually amounts to just a fraction of the
losses.

However, security experts and government agencies discourage the practice
because it does not guarantee decryption and recovery of the stolen files.
Additionally, it encourages similar ransomware attacks by the same groups
and others.

Conti ransomware targeted many healthcare organizations
The Irish healthcare system was hardly the only medical provider targeted
by Conti ransomware in 2021.

In May 2021, the FBI warned about Conti ransomware attacks “targeting US
healthcare and first responder networks, including law enforcement
agencies, emergency medical services, 9-1-1 dispatch centers, and
municipalities.”

According to CISA’s cybersecurity alert, Conti ransomware attacked more
than 1,000 times globally.

Operated by the Wizard Spider group based in St Petersburg, Russia, Conti
ransomware is among the most dangerous advanced persistent threat actors.
The group employs social engineering tactics like spearphishing to harvest
credentials from its victims.

Additionally, it exploits common vulnerabilities and stolen remote desktop
protocols (RDP) credentials to infiltrate networks. Conti ransomware’s
attack vectors include Trickbot and Cobalt Strike, CISA says.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220307/1053b2dc/attachment.html>