Conti attack on HSE: Irish High Court prohibits sharing stolen data

The released injunction should repeal hackers from using HSE data but leaks still possible

A new court injunction might prevent hackers from selling or using stolen data in any other way

Health Service Executive (HSE), the publicly funded healthcare provider in the Republic of Ireland, had suffered from a massive cyberattack on May 14, 2020. As a precaution, all of its IT networks were shut down to prevent the further spread of the ransomware as soon as it was spotted. The whole attack severely disrupted healthcare services in the country.

Threat actors behind the malware encrypted files on computers and servers and threatened to use all the data stolen from HSE during the attack if a ransom of $20 million^[1] won't be forwarded to them. Irish High Court was quick to react to this incident and has issued an order to prevent the unknown parties from selling, sharing, or publishing the stolen data with anyone.

The injunction also commands to return the stolen data and urges the cybercriminals to give up their names, emails, and whereabouts. However, the primary purpose of this order might be to inform Google, Twitter, and other legitimate service providers that any publications or sharing of stolen HSE data is prohibited. The order was uploaded to Tor dark website, which is related to the HSE attack.

Exposing HSE files might be harmful to patients and the whole healthcare system

During the two-week span that cybercriminals claim they've spent monitoring HSE systems, they might have stolen various data that could be misused for different purposes. The stolen information might include:

• personal details of the patients (addresses, phone numbers, etc.),
• personal employee data (contracts, addresses, scans of personal documents, etc.),
• payrolls,
• confidential documents,
• settlements with partners,
• contracts,
• financial statements,
• customer bases,
• banking information, and other possibly sensitive data.

HSE chief executive Paul Reid commented on the situation by stating:^[2]

This is a matter of grave concern for the HSE given the potential and imminent risk of publication of confidential medical and personal data relating to individuals contained on the HSE database system.

Almost a week since the initial attack, the group responsible for it has provided the HSE with a free decryption tool. Researchers have tested it out, and with the available ransomware samples, have reported^[3] that the tool does what it's supposed to.

Conti ransomware group responsible for the attack

The ransomware that infected HSE networks was identified as Conti,^[4] a hazardous malware that can be aimed at big corporations and regular people as well. It's known that this infection downloads tons of various data from the affected machines.

Then it encrypts all non-system files on them, renames the files by appending the .FEEDC extension (in this particular case) to their original filenames and makes them inaccessible until a required software or decryption key is used. The stolen data is kept as leverage until the ransom is paid.

Hackers behind the Conti ransomware attack against HSE are believed to have ties with a Russian cybercrime group called Wizard Spider. They've acknowledged^[5] that they had access to HSE systems for about two weeks. During this period, they claim to have stolen more than 700GB of valuable information.

The Prime Minister of Ireland, Taoiseach Micheál Martin, has said that they won't be paying the ransom, which is a whopping $20 million or engage with the perpetrators behind the HSE cyberattack in any way.

Nonetheless, criminals are still demanding a payment of $19,999,999, or the stolen data will be published online. That's where the newly released order should come in handy, as foreign governments and ISP providers should all help one another.