Ransomware attacks: case studies

In May 2021, the Irish Department of Health was hit by a ransomware attack, with the HSE hit by the same perpetrators the following day. The attack caused significant numbers of outpatient appointments to be cancelled, with the numbers of appointments dropped in some areas reaching up to 80 per cent.

With the health service using 2,000 systems and over 4,500 servers, the attack was described by HSE National Clinical Advisor Vida Hamilton as a “major disaster” that was “affecting every aspect of patient care”. Reports of patient records being shared online were deemed to be “credible” by Minister for the Environment, Climate and Communication Eamon Ryan TD, with the Financial Times reporting that they had seen files and screenshots from the hack. One file was said to have included the details of a man in palliative care, the authenticity of which was verified by the paper by matching with a death notice.

With a criminal investigation being led by the Garda National Cyber Crime Bureau, working with the National Cyber Security Centre and the HSE, a spokesperson for the Department of the Environment, Climate and Communications, which includes the National Cyber Security Centre, said there was a risk “that the medical and other data of patients will be abused, either for fraud or be means of public release”.

The ransomware used was reported to have been Conti, a ransomware that has been observed since 2020, which affects all versions of Microsoft Windows. The cybercrime group known to utilise the Conti ransomware is Wizard Spider, based in St Petersburg, Russia and known for their prior use of the Ryuk ransomware. Conti uses its own implementation of AES-256 that uses up to 32 individual logical threads, making it much faster than most ransomware, although the method of delivery is not clear. Once on a system, the ransomware will attempt to delete volume shadow copies and terminate a number of services using Restart Manager to ensure it can encrypt files used by them. It will also disable real time monitor and uninstall the Windows Defender application. Default behaviour is to encrypt all files on local and networked Server Message Block drives, ignoring files with DLL, .exe, .sys and .lnk extensions. It is also able to target specific drives as well as individual IP addresses.

Despite demanding a ransom of almost €17 million, the group eventually provided a decryption key to the Government free of charge, with Minister for Health Stephen Donnelly TD stressing that no ransom had been paid or would be paid. Despite the provision of the key, the group still threatened the mass leaking of health records unless ransom was paid, saying the Government “should understand that we will sell or publish a lot of private data if you will not connect us and try to resolve the situation”.

In May 2017, the WannaCry ransomware attack afflicted over 200,000 computers in over 150 countries. The attack would end up costing the UK Government £92 million and run up global costs of £6 billion.

Britain’s NHS was brought to a standstill for several days due to the WannaCry outbreak, affecting hospitals and GP surgeries across England and Scotland. Although the NHS was not specifically targeted, the global cyber-attack highlighted security vulnerabilities and, much like the HSE attack after it, resulted in the cancellation of thousands of appointments and operations. Staff were forced to revert to pen and paper and use their own mobiles after the attack affected key systems, including telephones.

WannaCry exposed a specific Microsoft Windows vulnerability, with most of the NHS devices infected with the ransomware found to have been running the supported, but unpatched, Microsoft Windows 7 operating system. The ransomware also spread via the internet, including through the N3 network, the broadband network connecting all NHS sites in England.

The attack used Eternalblue, the software vulnerability in Microsoft’s Windows operating system, and exploited the Microsoft Server Message Block 1.0. The attack was stopped by an accidental kill switch discovered by a computer security researcher, who registered a domain that the ransomware was programmed to check.

SamSam ransomware was identified in late 2015, but it was in 2018 that it gained much more prominence after infecting the city of Atlanta, the Colorado Department of Transportation and the Port of San Diego, all in the US, abruptly stopping the services of those affected.

In the same year, two Iranian hackers were accused of using SamSam against more than 200 organisations and companies in the U.S. and Canada, including hospitals, municipalities, and public institutions. A loss of $30 million is estimated as a result of the attacks. The city of Atlanta was reported to have spent more than $2 million to repair the damage wrought by the SamSam attacks. The Indiana hospital Hancock Health paid its ransom of $55,000.

To spread, this type of ransomware often exploits vulnerabilities in Remote Desktop Protocols and File Transfer Protocol. Once the SamSam attackers gained a foothold within their targeted network, they used a variety of grey-hat and systems administrator tools to escalate their own privileges with the goal of obtaining domain controller powers. As soon as they had the domain administrator password, the SamSam attackers would take control of the domain controller and leverage it to distribute the ransomware to every machine on the network after performing tests to ensure that the domain controller had write privileges to the machines under its bailiwick.