The News: Reuters reported on May 13, 2020 that Ireland’s health service announced it was completely shutting down all IT after experiencing a “significant” ransomware attack. This attack was blamed on threat actors targeting healthcare records. This attack has completely shut down COVID-19 testing, has forced hospitals to cancel not urgent appointments, and shut down diagnostic services. More from Reuters.
Ireland’s Health System Victim of Ransomware Attack, Completely Shuts Down
Analyst Take: Ireland’s Health Service system made the decision to shut down all IT systems to protect from the attack and also to allow the thorough assessment of the extent of the damage. In what is a ‘zero day’ attack, meaning the software maker has zero days to be aware of and remedy a problem, threat actors exploited a previously unknown software vulnerability.
The attack targeted computers storing patient records. HSE reported that patient data hadn’t been compromised and that equipment was operating as needed, except for radiography services. The hospital quickly made the switch to paper records, but as of the initial reporting hospitals shared they were unable to access lists of patients scheduled for appointments in the coming week and operations might continue to be limited and/or in some instances shut down. Hospitals all over the country are affected by this ransomware attack, including a hospital in Dublin that was reported limiting admissions to pregnant women who are at least 36 weeks pregnant and emergency cases only.
This on the heels of the attack on Belgium last week shows that cyber threats are everywhere.
My colleague Fred McClimans and I covered this ransomware attack on Ireland’s Health System in this Cybersecurity Shorts episode of the Futurum Tech Webcast. You can find that conversation here:
Disclaimer: The Futurum Tech Webcast is for information and entertainment purposes only. Over the course of this podcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.
More Insights from Futurum Research:
Shelly Kramer: And also, I’m sure you saw this as well, Ireland’s health system was the victim of a ransomware attack, and it is completely shutdown. They reported today that the health service was shutting off all IT, after they experienced a significant ransomware attack. And, that, “Significant”, was their wording. The attack was blamed on threat actors targeting healthcare records. Again, very robust areas of personally identifiable information. The attack has completely shutdown all COVID-19 testing, hospitals have canceled all not-urgent appointments, all diagnostic services, and they’re only accepting emergency room appointments, and seeing women who are 36 weeks pregnant or more.
The attack actually targeted computers that were storing patient records. The hospital in Dublin was the one that was shutting down services. And, this is on the heels of what you talked about in our show last week, the attack on Belgium.
Fred McClimans: Right.
Shelly Kramer: So, the world over, we are seeing cyber attacks and threat actors shutting down hospitals, governments, pipelines.
Fred McClimans: There’s possibly a good side of that here, moving here. I say, “Possibly”. Because, we’ve been talking about the DarkSide, they recently, I think just yesterday, announced that they had some of their servers actually confiscated. Law enforcement have gone in and…
Shelly Kramer: Shutdown.
Fred McClimans: … Shutdown their blog server, their payment processing server, and their denial of service attack service. So, they had been seized based on a court order. We don’t know who. But, it is interesting because DarkSide, as we’ve talked about previously, they have gone out of their way to say, “Look, we’re a business operation. We’re not the bad guys here.” They’ve donated to charitable causes to [crosstalk].
Shelly Kramer: Whatever. That doesn’t make them good guys.
Fred McClimans: Right. But, now you see them and you see others, like REvil that we mentioned previously, stepping up and saying, “As part of our crime ink, or our cyber collaborative here of attackers, we’re not going to do work in the social sector for healthcare, education etc. We’re not going to do work on government sites, we’re not going to sanction that. We’re not going to sanction anything that is really that important that people’s lives could be at risk coming out of it.” That’s a couple of organizations saying that. And unfortunately, while that may set a tone moving forward, which is a bizarre thing to say, that we have organized crime saying, “Look, here are the rules of conduct that we’re going to put in place”. The reality is that there are so many rogue actors out there, and people that don’t have security. Clearly, the group that targeted Ireland’s healthcare system, that’s a different beast. And, we need to find a way to combat that, to stop that in its tracks. It’s gone too far.
Shelly Kramer: And, the good and terrible about the DarkSide servers being shutdown, what’s interesting, they didn’t share what law enforcement agency or from which country seized control of their servers. I think that was a wake up call for them. But, as you said, REvil made changes in their operations, and they forbid people to work on government sector, the State of any country, as you said, work in the social sector, healthcare, educational institutions. And, they said they are requiring more information about the target be submitted by people who want to use their ransomware as a service offering so that it can be approved before they go and hack somebody. So, I thought that was interesting.
But, here’s the terrible part of this, though. DarkSide said that they were going to do, as a result of their servers being taken down, is that they were going to go into dark mode. And, they were going to refrain from posting in underground forums, and they were going to instead communicate in more private ways. Now, one of the things that we talked about earlier was that Kaspersky operatives, cybersecurity operatives, saw postings from DarkSide in their forums. And that, when they post things in forums that are generally populated by threat actors, it does make that information available to be picked up by other organizations and people that are monitoring that. When they go into even more dark mode, that’s not necessarily a good thing.
Fred McClimans: No, it’s not. Think of the government and law enforcement here as an enterprise that’s collecting all this data that they in turn are going to put through a machine learning model to figure out, “What are the patterns? What are the behaviors?”. The more posts we see by a particular group, a threat actor, the more likely it is that we can identify the traits, the characteristics, and predict what their future post actions and attacks may be, based on their past behaviors.
So, going dark is fitting for a group called DarkSide, but it is unfortunate. But hey, maybe they’ll come back and they’ll really get that Robin Hood flag going and say, “Look, we’re actually doing a service here for everybody, because after we attack you and after we get a ransom, we’re actually going to tell you where your security lapses are. So, we’re sort of the white hat guys.” Which is, again, just a bizarre thought. I would not be surprised if they went down that path, from a PR perspective. Again, we’re talking about this organized crime group as a company with PR and operations.
Shelly Kramer: Yeah, but these are mostly Russian-based. Isn’t DarkSide Russian-based?
Fred McClimans: Russian-based, yes. They’re based in Russia, or Eastern European.
Shelly Kramer: No offense, but I don’t really want Russians… And, these are all part of the Russian… What is it? SDF or FSD? What’s it called, the acronym for their foreign services? FSD organization, which is all about doing dirty deeds, and espionage, and all that sort of thing. So yeah, I don’t really want somebody from Russia advising corporations anywhere in the world on what to do to fix their systems. Do you?
Fred McClimans: Not particularly. It becomes a question of whose best interests? The fact that somebody has been devious enough and bold enough to outright attack your organization, the credibility, in my mind, goes out the window. And, that’s different. If you really want to be a white hat actor out there, there are a lot of companies that offer…
Shelly Kramer: Absolutely.
Fred McClimans: …rewards and so forth. They would love to engage with people to figure out where the shortcomings in their systems are. But, this approach, “Yeah, we’re going to take you for two, four, five million dollars. And, then as an afterthought, we’ll tell you where your data is. And, we’ll also agree not to attack you again, after we’ve taken your money.”
Shelly Kramer: Sorry, can’t be trusted.
Shelly Kramer is a Principal Analyst and Founding Partner at Futurum Research. A serial entrepreneur with a technology centric focus, she has worked alongside some of the world’s largest brands to embrace disruption and spur innovation, understand and address the realities of the connected customer, and help navigate the process of digital transformation. She brings 20 years' experience as a brand strategist to her work at Futurum, and has deep experience helping global companies with marketing challenges, GTM strategies, messaging development, and driving strategy and digital transformation for B2B brands across multiple verticals. Shelly's coverage areas include Collaboration/CX/SaaS, platforms, ESG, and Cybersecurity, as well as topics and trends related to the Future of Work, the transformation of the workplace and how people and technology are driving that transformation. A transplanted New Yorker, she has learned to love life in the Midwest, and has firsthand experience that some of the most innovative minds and most successful companies in the world also happen to live in “flyover country.”