Ireland’s public healthcare system is rebuilding 2,000 applications and other systems from scratch after a ransomware attack that disrupted operations at hospitals, doctors’ offices and other services across the country.
Technology experts and external consultants working with the Irish Health Service Executive are taking steps to make sure the ransomware is eradicated from the organization’s computers, said Ossian Smyth, Irish minister of state for communications.
“We’re focused on firefighting, resolution, cleanup and rebuild,” he said.
Attackers used ransomware known as Conti to attack the healthcare system last Friday and had attempted to hack the Irish Department of Health one day earlier, the government said. The Irish government said it received a ransom demand that it won’t pay, but hasn’t confirmed the amount hackers sought. The country’s Department of Social Protection also fended off a similar attempted cyberattack six months ago, Mr. Smyth said.
Some health services are still disrupted and X-ray appointments are canceled, the HSE said Wednesday. The HSE advised employees to keep work devices turned off and said they are working to restore email and
Security consultants are creating a new network on which experts will rebuild the software systems, making sure there are no lingering traces of the ransomware, Mr. Smyth said. Hundreds of people are involved in the restoration of around 2,000 distinct systems from hospitals, doctors and clinics, many of which were previously operated by religious or private organizations and were later absorbed into the public organization, he added.
Paul Reid, director-general of the HSE, said this week it will likely cost tens of millions of euros and take weeks to repair technology systems damaged by the ransomware.
Three systems that the HSE created in the last year to deal with the Covid-19 contact tracing, testing and vaccine management weren’t affected by the attack because they are based on new cloud technology, Mr. Smyth said. “I’d imagine the legacy systems on physical servers in data centers are probably much more vulnerable,” he said.
Richard Corbridge, who was the HSE’s chief information officer until 2017, said the organization’s technology infrastructure includes large-scale hospital systems that have been in use since the 1980s.
Irish officials don’t know was behind the HSE breach, but believe the attackers bought the Conti ransomware from another group of hackers, Mr. Smyth said. He declined to say which country the group selling the ransomware comes from.
CrowdStrike Holdings Inc.
said in an October report that a Russia-based group known as Wizard Spider uses Conti and other ransomware strains. Conti is designed to extort victims and attackers have used it to steal data and then threaten to publish it online unless victims pay.
Mr. Smyth said the hackers are very likely to publish stolen data from the HSE online and investigators are checking dark web forums, Mr. Smyth said. “We do have a responsibility to reassure people and prepare them for when that happens,” he said.
In other cases, hackers who have used the Conti ransomware look for sensitive information to steal and then provide an analysis of their ransom fee based on the type of data they have, damage to the organization, and whether exposing the data could lead to regulatory investigations or fines, said
chief executive officer of Smarttech247, a cybersecurity company based in Cork, Ireland.
“These guys know what’s valuable and what’s not. They’re going to have their homework done, they’re going to take the data that’s going to inflict the most pain,” he said.
Mr. Murphy said that in prior negotiations he conducted with Conti hackers, he found that after receiving payment, they ultimately restored data they had encrypted. Smarttech247 is helping hospitals investigate and monitor their networks for possible ransomware infections related to the HSE attack.
Last week’s attack on the HSE had much more significant effects in Ireland than the 2017 WannaCry attack that hit the U.K.’s National Health Service, among several organizations, Mr. Smyth said. The Conti attack was crafted specifically to disrupt Irish healthcare, he said.
After the WannaCry incident, U.K., officials sent a warning to the HSE, said Mr. Corbridge, then CIO of the Irish system. Technology staff had several hours to prepare for the attack and quickly disconnected the healthcare system from the internet, he said. The HSE tripled its help desk staff over that weekend four years ago and updated its systems.
The moves prevented disruption, he said. “It was a Friday, Saturday and Sunday in May without a pandemic. It was a time when the healthcare system had a little more capacity than it does today,” he said.
Write to Catherine Stupp at Catherine.Stupp@wsj.com
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8