Irish Health Service ransomware attack happened after one staffer opened malware-ridden email

Ireland’s Health Service Executive (HSE) was almost paralysed by ransomware after a single user opened a malicious file attached to a phishing email, a consultancy’s damning report has revealed.

Issued today, the report from PWC (formerly known as PriceWaterhouseCoopers) said that the hugely harmful Conti ransomware infection was caused because of the simplest attack vector known to infosec: spam.

PWC said, in the report’s executive summary:

“The Malware infection was the result of the user of the Patient Zero Workstation clicking and opening a malicious Microsoft Excel file that was attached to a phishing email sent to the user on 16 March 2021.”

Even worse, PWC said HSE personnel had spotted the WizardSpider crew behind the infection operating on HSE networks – yet “these did not result in a cybersecurity incident and investigation initiated by the HSE”.

“As a result, opportunities to prevent the successful detonation of the ransomware were missed”.

PWC also said that the WizardSpider criminal crew who pwned the HSE probably “exploited an unpatched known vulnerability” to gain access to the HSE’s Active Directory domain. The vuln was not identified in its full report, potentially suggesting it may still exist in corners of the HSE network.

HSE chairman Ciarán Devane said in a canned statement today: “It is clear that our IT systems and cybersecurity preparedness need major transformation. This report highlights the speed with which the sophistication of cyber-criminals has grown, and there are important lessons in this report for public and private sector organisations in Ireland and beyond.”

The HSE was found wanting in its own after-action review, the exec summary of which is downloadable here as an 18-page PDF. The full report is 157 pages long (PDF) and includes colourful graphics and charts too.

Ireland’s National Cyber Security Centre (INCSC) named the ultimate payload, executed two months after initial access was established, as Conti v3; a 32-bit executable that encrypts all within its grasp.

Two months after gaining access, Conti hit the big red button: a large part of Ireland’s health service lost its IT systems as responders struggled to contain the ransomware infection. Before that, however, antivirus on HSE endpoints detected both Cobalt Strike and Mimikatz being deployed on the so-called Patient Zero workstation.

In a five-day timespan during early May 2021, WizardSpider had compromised systems in five separate hospitals, pwning a further three by 12 May. Although the hospital’s internal security team were notified by its external “cybersecurity solutions provider” to unusual alerts, not enough action was taken before WizardSpider deployed their main Conti ransomware payload on 14 May.

We saw, we came, we conquered

There was a late chance to stop the ransomware extortionists which was missed, as PWC recounted:

The antivirus provider was not named in the PWC report.

Meanwhile, another hospital initiated its incident response plan. This resulted in 4,500 passwords being reset, firewall config changes being made and lots of similar security-related activity. Unfortunately, despite that hospital telling the central HSE team they had identified suspicious activity on two HSE servers, the HSE “incorrectly concluded in an email between the HSE teams that the suspicious activity originated from Hospital A, rather than the other way round.”

The report, an unusually candid document to be made public, will be fascinating reading for any organisation trying to better prepare itself for one of the worst security threats of all. Doubtless it’ll be useful to infosec managers too as their orgs move into budget-setting mode for 2022. ®

READ MORE HERE