Ireland is examining a decryption tool that could end a week-long shutdown of its healthcare service’s hacked IT system and has also secured a court injunction preventing sharing and publishing of stolen data.
In a statement on Thursday evening, Ireland’s government said a decryption tool had been made available “which may support the ongoing work [to] repair the impact of the cyber attack on the HSE’s (Health Service Executive’s) IT systems”.
As part of the attack, the hackers encrypted the HSE’s data so the HSE cannot access it. The tool will allow HSE to access data again, if it works.
Separately, Dublin’s High Court granted the HSE an injunction preventing anyone from sharing, processing, selling or publishing any data stolen by the hackers. The HSE said this action was designed to make it illegal for sites such as Google and Twitter to share the information.
The news came less than 24 hours after hackers warned that patient and other confidential data would be published online and sold unless a $20m ransom was paid by Monday. The hack, which began in the early hours of May 14, forced Ireland to shut down most of its healthcare IT systems, leading to huge disruption.
Health minister Stephen Donnelly stressed on Thursday that no ransom had been paid for the decryption key. An online chat seen by the FT shows that the key was offered by an account named ContiLocker Team.
Ireland has said that the Conti group of hackers is behind the attack. ContiLocker Team’s account has already shared a sample of 27 files including information related to 12 named individuals, the Financial Times reported on Wednesday.
The government said that investigators were now carrying out a “detailed technical process to ensure the integrity of this decryption tool . . . to ensure that this tool would support restoration of our systems, rather than cause further harm”.
Investigators have not confirmed the leak but Ireland’s communication minister Eamon Ryan, who oversees the National Cyber Security Centre, described the FT report as “credible and accurate”.
An entry to the chat between ContiLocker Team and an unnamed account on Wednesday night warned: “We will start to sell and publish your data on Monday.” The online chat is on the dark web, a section of the internet that can only be accessed through an anonymised browser known as Tor.
ContiLocker Team claim to have stolen 700gb of data from the HSE, including patient files, payroll information, bank statements and commercial documents.
The FT examined one medical file that included an admissions report, doctors’ letters and laboratory reports for one individual, along with contact details for their next of kin and other personal information. The details in the file matched a publicly available death notice.
Six days after the ransomware attack, doctors warned that patient care is being affected by postponed appointments for services including radiation, X-rays and cervical cancer checks, as well as difficulties accessing patients’ test results.
A senior executive at the HSE, Dr Vida Hamilton, on Thursday morning told Ireland’s RTE radio station that there was “enormous risk” in hospitals as a result of the hack. “We know nothing about the individual. We have no charts, no record number,” she said, describing how manual processes introduced “delay and risk for error”.
While hacks have claimed many other victims, including a recent ransomware attack on a US pipeline that triggered fuel shortages, scrutiny has increasingly turned to shortcomings that made the HSE vulnerable.
Reports in Thursday’s Irish Times described how internal audits flagged “weaknesses” in the HSE’s security controls and disaster recovery protocol as far back as three years ago.
Discover more from Today Headline
Subscribe to get the latest posts to your email.