Irish Health Service Says It Will Take Weeks and Tens of Millions of Euros to Get Back Online

• The Irish Health Service is not expecting to restore its IT systems soon, and it’s gonna cost a lot.
• Hospitals are now operating in “handwritten notice” mode, and all appointments have been canceled.
• The Conti group also attempted to hit the Department of Health, but their encryption effort failed.

It’s been a couple of days since the Irish National Cyber Security Center informed the public about a ransomware attack on the public health sector (HSE), and the organization is now in a position to give an estimation of when it’ll get back online. According to the latest information, it will take several weeks to recover from the ransomware attack, and rebuilding all of the affected IT systems will cost the operator tens of millions of euros.

The attack was the work of the ransomware group known as “Conti,” which launched the attack on Friday. The HSE responded by shutting down its systems to prevent the malware from propagating to the entire network. Thankfully, the COVID-19 vaccination program wasn’t affected by this incident, but all hospital appointments across the country were canceled. Health Minister Stephen Donnelly made the following statement on Twitter:

Hundreds of people are working flat out in response to this despicable cyber attack on our health system and on patients. We're focused on getting health services and appointments for patients back on track as quickly as possible. (1/4)

— Stephen Donnelly (@DonnellyStephen) May 17, 2021

HSE’s COO Anne O’Connor told a local broadcaster that some systems are still working, albeit at a very slow pace due to the need to transcribe everything manually. As O’Connor described, hospital personnel is currently running around delivering hand-written results. Also, the official confirmed that the information of some hospitals was compromised, but this will be a matter to be investigated by the data protection office at a later stage.

The Irish Government has made it clear that they won’t pay the crooks any money, so there will be no negotiations with Conti. The ransom demand was set to $20 million in Bitcoin, and the threat also involves the leaking of 700 GB of unencrypted files that were stolen in the attack. The actors claim that these files include employee and patient information, payroll details, contracts, financial statements, and more.

Interestingly, NCSC’s report claims that Conti attempted to hit the Department of Health first, last Thursday, but they were only able to deploy Cobalt Strike beacons. No encryption ever took place there, and the investigators believe it was the presence of up-to-date systems and security tools that detected the ransomware payload and stopped it from executing. Unfortunately, the HSE systems weren’t protected equally well, and the results of this negligence were catastrophic.