Surprising breakthrough in the Irish cyber robbery case: Attackers of the HSE Health Administration handed over the device to the Dublin government, which could use it to restore encrypted data at the time of the attack. Ireland’s Health Minister Stephen Donley told the Irish broadcaster RTE that no ransom had been paid. The government has not intervened directly or made a deal “through a third party” to include blackmailers. There will be no ransom in the future.

“Lots of personal data” to be published

According to previously unconfirmed chat logs circulating on the Internet, the cybercrime group responsible for the “catastrophic hack” is demanding a ransom of US $ 20 million. On their Darknet page The perpetrators informed the HSE“We provide free decryption tool for your network”. At the same time, they continued to threaten: “But you should understand that we will sell or publish a lot of personal data if you do not contact us and try to resolve the situation.”

It is not clear why the attackers made the decryption solution available for free, Donnelly said. The Russian cybercrime group “Wizard Spider” also signed the attack on the HSE and, in parallel, the unsuccessful attack on the Irish Ministry of Health.

Other online robbers based in Russia, such as Darkside and Revil, announced last week that they would no longer attack any “social sector” organization, such as health and educational institutions, following a cyber attack on the operator of a colonial pipeline in the USA. The public administration infrastructure of any country is generally required. U.S. President Joe Biden has previously threatened to take “decisive action” against the ransomware networks involved.

Interim elimination

Irish Prime Minister Michael Martin on Friday welcomed the release of software required for data decryption. However, much work is still needed to reactivate the largely closed health system. Sensitive patients’ data may be tapped, Taoiseach (Irish Prime Minister) agreed. However, he pointed out that the HSE had obtained an injection before the High Court, the country’s highest court: it would make it a criminal offense to publish information obtained illegally or stolen from the health administration.

The main purpose of the court order is to inform Internet companies with upload platforms such as Google, Facebook and Twitter about the legal ban on sharing and publishing relevant information. Martin praised previous collaborations with social media companies surrounding the attack and their willingness to immediately delete “accidentally” published data from HSE systems. However, compared to the Darknet forums, this ruling is largely ineffective because their operators are difficult to understand.

HSE chief Paul Reid stressed on Twitter that the IT administration’s IT systems could not be reactivated with a single click, even with activation codes. After importing the backups, they continue to “securely restore” services and databases. The Authority examines the specific effects of decryption software. He estimates that the consequences of the attack will be felt in a few more weeks.

16 minutes to compromise the network

In the USA, the FBI issued a parallel warning against Conte. It has already detected at least 16 attacks using the encryption Trojan targeted by health care networks and blue-light authorities. The robbers attacked more than 400 organizations around the world, including more than 290 in the United States. According to police, the group’s latest ransom alone is worth up to $ 25 million.

Experts from IT security company Sophos recently described the Kondi attack they are pursuing As can be very quick and devastating. Forensic analysis shows that “the attackers exploited holes in the firewall to compromise the network and gain access to the domain administration data in just 16 minutes”. “Cobalt Strike Agents” are used on Windows servers that become the backbone of ransomware attacks. What makes it special is that cybercriminals are all self-controlled and do not rely on an automated routine.

(BME)