- The HSE is already tentatively decrypting files by using a key provided by the Conti ransomware group.
- The actors are still threatening to leak patient data if they don’t get paid by the Irish government.
- The hospital operations aren’t expected to return to normal status any time soon.
In an unexpected turn of events, it reported that the HSE (Irish Health Services) received a valid decryption key from Conti, the ransomware gang that crippled its systems a few days ago. As we covered previously, the agency has made a public announcement to clarify that they’re not willing to pay Conti any money, even if that means they’ll have to pay tens of millions of euros to get their systems back up and running. Also, only yesterday, we received reports about patient data from that attack appearing on the dark web.
It is unclear why Conti had a change of mind - or a change of heart if you prefer - but the doctor pleads that appeared on various online media outlets may have played a role in that. Ransomware attacks against hospitals, let alone entire national healthcare organizations, are risking human lives, and as such, are utterly unethical. Already, the systems have remained paralyzed for over a week, and even with a valid decryption key, it’ll take a while before everything is back to fully operational status.
One thing to note here is that Conti may not have given up on its hopes to get a payment after all. Although they have provided the decryption key for free, the threat to publish patient data hasn’t been retracted. As such, the actors may have realized that decrypting hospital systems and letting doctors do their job would be the right thing, but the Irish government is still called to pay them the ransom - which is set to $20 million.
The HSE has already secured a High Court order to make the sharing, distribution, processing, or selling of patient information stolen by Conti illegal, trying to deter members of the channel of distribution. It is unlikely that these crooks will be touched by this legal effort, though, as they remain anonymous and free to continue their grisly activities. However, the court order will still play a role in slowing down the dissemination of stolen data.
According to the most recent report that comes from the Irish Examiner, the decryption key provided by Conti is working, and “initial results are positive.” However, it was also noted that they are using it with caution to avoid suffering a second compromise, a result of possible trickery. After all, this is something provided by the threat actors, so trusting it blindly isn’t easy.