Cyber gang demand $20m from HSE as ‘unencrypted’ files stolen

The ransom demanded by hackers from the HSE could be as much as $20m, according to an Interpol-associated security site, citing alleged exchanges between the ransomware gang and Irish authorities.

700GB of “unencrypted” files, including patient and employee information, are also alleged to have been stolen.

The claims are made in the respected online security website Bleeping Computer, which cites access to a cybersecurity researcher.

A spokesperson for the HSE declined to comment on the ransom and data theft claims and said that the issue was being handled by the National Cyber Security Centre.

Yesterday, HSE boss Paul Reid confirmed that a ransom demand had been made.

But Mr Reid said that government policy is not to pay ransomware demands.

HSE chief information officer, Fran Thompson, told Independent.ie that paying ransomware would only open a “Pandora’s Box”.

The thieves responsible for the attack, known as Conti gang, are known for ‘double extortion’ ransomware threats, demanding payment for unlocking data and, separately, for not releasing the data publicly.

The gang has targeted public schools and hospitals in the US this year and reportedly secured a €2m payment from the UK retailer FatFace in March. It is estimated to be responsible for dozens of international ransomware attacks so far this year.

The criminal gang is suspected to operate from Russia or one of the former Soviet countries, now known as the Commonwealth of Independent States.

Ransomware attacks are now a regular occurrence for Irish organisations. Last month, both the National College of Ireland and Technological University Dublin’s Tallaghts campus were hit by ransomware attacks.

That comes amid a 60 per cent rise in ransomware attacks last year, according to cybersecurity firm SonicWall. The jump came as the pandemic caused millions of people to access company systems from their home computers.

The average ransomware payout last year varied between €130,000 and €300,000 according to various security industry firms’ research.

Ronan Murphy, Chief Executive of Smarttech, has recently negotiated with the Conti ransomware group behind the HSE attack.

Mr Murphy said the gang are based out of St Petersburg in Russia and said they were “criminals but businesspeople” and that they "have a reputation to uphold".

“Number one is if you don’t pay; they will dump your data - be under no illusions there. Secondly, if you do pay; they usually decrypt your data and don’t publish it.

“They have to maintain a standard, and I know this sounds bizarre as I’m talking about really, really bad people, but they do have a reputation to uphold,” Mr Murphy said on RTÉ Radio.

While Mr Murphy said he does not condone or advocate for paying the ransom demanded by the group, he said this is the quandary faced by businesses and organisations targeted.

“They are going to have financial estimates of the cost of restoration and the cost of potential class action suits against the health service due to the data being leaked, and they will put a price on it.

“In my estimation, they would probably settle for €4-5m,” Mr Murphy said, based on previous negotiations he has held with the gang on behalf of companies.

The infosecurity professional said the nature of the data that has been encrypted by the gang will determine their stance if any negotiations take place with authorities.

The Government has been very clear that they will not negotiate or pay the ransom demanded.