On May 14, 2021, the Health Service Executive (HSE) in Ireland suffered a ransomware attack. The attack was conducted by the Conti ransomware gang, which demanded a $20 million ransom payment for the keys to decrypt files. The HSE shut down its computer systems that supported healthcare facilities throughout the country to limit the spread of the malware, with clinicians forced to use pen and paper to record patient data. Without access to computer systems, it was not possible to check patient records and many appointments had to be cancelled. Patients have continued to experience significant delays receiving treatment and test results.
Shortly after the attack the Conti ransomware gang took an unusual step and provided the decryption tools to the HSE free of charge. The motivation behind this move is unclear. While the HSE has been able to decrypt files without paying the ransom, the Conti gang still demanded payment to prevent the release of data stolen in the attack. Around 700GB of patient data is understood to have been stolen by the gang prior to the use of ransomware. The HSE said it will not be making any payment to the Conti ransomware gang.
Even with the decryption tools recovery has been slow. The HSE has around 2,000 systems and 4,500 servers and decrypting files is not a quick process. “Decryption takes much longer than the original encryption, and eradication involves additional tasks to ensure that the perpetrators have no access route back into our systems,” said HSE CEO Paul Reid to the National Parliament (Oireachtas) Joint Committee on Health.
It has now been over a month since the ransomware attack and the cost is continuing to increase. At a recent Oireachtas hearing, Reid explained that the immediate cost of recovery was $120 million, but that is just a fraction of the expected total cost of the attack.
Many of the affected systems had to be replaced or upgraded, and the HSE will also have to create a new security operation center to allow it to monitor its network on a more comprehensive basis. The HSE has so far only decrypted about 75% of the affected servers and the recovery is expected to take several more months. Reid said the cost of recovering from the attack is likely to be around $600 million.