HSE cyberattack: Initial tests on decryption tool ‘are positive’

21 May 2021

Image: © kras99/Stock.adobe.com

Authorities and IT specialists are carrying out assessments and tests on a decryption tool to determine if it’s safe to use.

More than a week after news of the Irish Health Service Executive (HSE) cyberattack first surfaced, a decryption tool that may unlock IT systems and decrypted files has been made available.

Authorities believe the tool came from the same cybercriminals who carried out the attack.

The National Cyber Security Centre (NCSC) and private IT specialists are testing and assessing the integrity of the decryption tool to determine its safety and compatibility with HSE systems.

Speaking on Morning Ireland this morning (21 May), Minister for Health Stephen Donnelly, TD, said “work is ongoing” in terms of testing the validity of the decryption tool and “the initial results are positive”.

“We need to be absolutely sure that this will help restore the health systems, rather than potentially cause further harm,” he added.

As well as assessing the decryption tool, Donnelly said other work to restore HSE systems is continuing. He said some services are now back online locally including the National Integrated Medical Imaging System (NIMIS), local laboratories and patient administration systems.

Donnelly also reiterated that no ransom has been paid by the Irish Government “directly, indirectly, through any third-party or any other way”.

The cyberattack was reportedly carried out by a gang known as Wizard Spider using Conti ransomware, which is operated by the attacker rather than an automated process.

High Court injunction

News of the decryption tool came as the HSE secured a High Court injunction to stop any illegal use of data stolen from its computer systems in the recent cyberattack.

According to The Irish Times, the cybergang behind the attack have been trying to communicate with HSE personnel via a messaging system attached to the $20m ransom note, claiming they will sell or publish private data if the ransom is not paid.

In an affidavit to the High Court, HSE chief executive Paul Reid said that all HSE data “is potentially compromised” and this includes data relating to diagnostics, oncology, human resources and payroll.

“This is a matter of grave concern for the HSE given the potential and imminent risk of publication of confidential medical and personal data relating to individuals contained on the HSE database system,” said Reid.

The injunctions were sought against “persons unknown” who are behind the attack. However, the court was told that the aim of the order is also to put legitimate information services such as Google and Twitter on notice of a legal prohibition on the sharing and publication of HSE information.

Reports earlier this week suggested that some personal and medical data has already been shared online.

In a Twitter thread, Castlebridge managing director Daragh Ó Brian warned of the dangers of the stolen data being released, particularly if it’s combined with other previously breached data, for example, from the recently reported leak of 533m Facebook users’ data.

Jenny Darmody is the editor of Silicon Republic