[Security Weekly] Ireland’s National Healthcare System Disrupted by Conti Ransomware
3rd Week of May 2021
1. Ireland’s national healthcare system disrupted by Conti ransomware
Ireland’s Health Service Executive (HSE), the national healthcare system responsible for all healthcare and social services across the country, suffered from a massive ransomware attack initiated by the Conti ransomware gang. The attackers encrypted a number of HSE’s computers and forced the organization to shut down all its IT systems as a preventative measure.
The attack directly affected local hospital networks. Some of them had to cancel all outpatient appointments except for those seeking emergency treatments. Fortunately, HSE reassured that the COVID-19 vaccination sites remain unaffected and that the National Ambulance Service is operating as usual.
According to sources at Bleeping Computer, the Conti ransomware gang wrote a note claiming to have infiltrated HSE’s IT network for over two weeks and stolen over 700 GB of encrypted data. A $20 million ransom was demanded in exchange for the decryption key. Compromised data included personal information belonging to patients and employees, as well as employment contracts and financial statements.
Irish Prime Minister Micheál Martin said in a press conference that the country would not be paying any ransom to the attackers.
2. AXA hit by ransomware after dropping ransom payments from its insurance coverage
Paris-based insurance giant AXA’s Asia Assistance division was attacked by threat actors with the Avaddon ransomware, affecting its operations in Hong Kong, Malaysia, Thailand, and the Philippines. This came a week after AXA announced that it would no longer offer coverage for losses from ransom payments when issuing new cyber insurance policies in France.
Apart from operation disruptions, AXA also stated that the attackers may have accessed some data processed by Inter Partners Asia (IPA) in Thailand. Meanwhile, the Avaddon ransomware gang claimed on its leak site that they had stolen over 3 TB of sensitive data from AXA’s Asia Assistance, which include ID card copies, medical records, bank account information, insurance contracts, payment history, and insurance claim forms. AXA said that it had started notifying the affected victims.
The Avaddon ransomware gang also claimed to have launched a DDoS attack against AXA’s websites worldwide, making them temporarily out of service over the weekend of May 15.
3. Toshiba Tec’s European subsidiaries attacked by DarkSide ransomware
Toshiba Tec, a subsidiary of Toshiba that manufactures and sells retail and office equipment, was attacked by the DarkSide ransomware gang, disrupting the operations of its subsidiaries in Europe.
Toshiba Tec had to immediately shut down all IT networks in Japan and Europe to prevent the ransomware from spreading worldwide. Forensic experts were hired to investigate the incident as the company worked on system recovery and data backup implementation.
Toshiba Tec said that some information may have been leaked. This was later confirmed by leaked screenshots of the ransom message on DarkSide’s leak site, which remained out of service due to a loss of its servers. The ransomware gang claimed on the message to have stolen 760 GB of data from Toshiba Tec, which included copies of passports and work files.
After gaining global attention from attacking Colonial Pipeline a week ago, DarkSide was expelled from Russian-speaking hacker forum XSS, while its leak site servers, payment servers, CDN servers, and DDoS botnets were seized by “law enforcement”, as according to its rival REvil ransomware. Many are now questioning the trustworthiness of these reports as DarkSide continues to carry attacks.
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Database Encryption: D’Amo
Identity and Access Management: ISign+
Car, Energy, Factory, City Solutions: Penta IoT Security