Ireland’s Health Service Executive ransomware attack (2021)

From International cyber law: interactive toolkit
Revision as of 12:53, 16 August 2021 by Uncleistvan1BBB (talk | contribs) (adding scenarios)
Jump to navigation Jump to search
Date 14 May 2021 (The Health Service Executive was alerted to the attack at 4am).[1] Unknown to anyone the hackers had already been in the IT systems for at least a week before they were discovered.[2]

One day earlier (13 May 2021), the National Cyber Security Centre (NCSC) was made aware of potential suspicious activity on the Ireland’s Department of Health (DoH) network[3] and in the morning of 14 May 2021 an attempt to run ransomware was prevented, with DoH IT systems shut down as a precaution.[4]

The same cybercrime group is believed to be behind both incidents thanks to a similar digital note left at the DoH and the Health Service Executive systems.[5]

Suspected actor The group responsible was identified as a criminal gang known as Wizard Spider, believed to be operating from Saint Petersburg, Russia.[6]
Target The Health Service Executive (HSE) – the publicly funded healthcare system in the Republic of Ireland, responsible for the provision of all Ireland's public health services in hospitals and communities across the country.[7] The attack has impacted all of the HSE national and local systems, which are involved in all core services.[8]
Target systems Microsoft Windows-based systems
Method Cobalt Strike Beacon was detected on infected systems, suggesting that it was used to move laterally within the environment prior to executing the Conti ransomware payload.[3] The attack started when a single computer stopped working, causing its user (HSE worker) to reach out for help by clicking on an infected link.[9]
Purpose The attackers most likely aimed at gaining financial profit – the group was reportedly asking the HSE for $20m (£14m) to restore services after the attack.[10] The Irish government insisted it did not, and would not, be paying the hackers.[10]
Result The cyberattack on the HSE has been described as the most significant in Ireland‘s history.[11] The HSE took the decision to shut down all of its IT systems as a precaution in order to assess and limit the impact.[3]

The attack disrupted services at several Irish hospitals. It resulted in a near complete shutdown of the HSE's national and local network, forcing the cancellation of many outpatient clinics and healthcare services.[12] The number of appointments in some areas of the system has dropped by 80%.[10]

HSE workers had to continue with paper records[10] and they were unable to access email.[13] However, hospital emergency departments remained open, the national vaccination programme against covid-19 was not affected and the testing system was also fully capable and continuing.[14]

Personal and medical information of patients and HSE staff was accessed in the attack, with a small amount of data (including sensitive information of 520 patients) shared on the dark web.[15][16]

Aftermath On 20 May 2021, the HSE has secured a High Court order preventing the hackers (or any individual or business) from sharing, processing, or selling the information stolen during the attack. The court injunction also applies to social media platforms such as Twitter, Google, and Facebook and therefore limits the hackers' scope for disseminating the stolen data.[10] On the same day, it was reported that the hackers provided a decryption key that could enable the HSE to recover their IT systems and the files that hackers locked and encrypted.[17]

In reaction to the attack, the HSE will establish a cyber security operations centre to monitor the HSE network, and a full procurement process for the facility will be also getting under way.[18]

On 23 June 2021, it was confirmed that at least three quarters of the HSE's IT servers had been decrypted and 70 % of computer devices were back in use.[18] However, it is estimated that it may take 6 months for the HSE systems to fully recover.[19]

Analysed in Scenario 14: Ransomware campaign

Scenario 20: Cyber operations against medical facilities

Scenario 23: Vaccine research and testing

Collected by: Eva Šípková

  1. What we know so far about the HSE cyber attack”, 15 May 2021, RTÉ.
  2. P Reynolds, “The anatomy of the health service cyber attack”, 23 May 2021, RTÉ.
  3. 3.0 3.1 3.2 National Cyber Security Centre, “Ransomware Attack on Health Sector - UPDATE 2021-05-16”, 16 May 2021.
  4. C. Lally, J. Horgan-Jones, A. Beesley, “Department of Health hit by cyberattack similar to that on HSE”, 17 May 2021, The Irish Times.
  5. P Reynolds, “'No sense' other agencies affected by attack - Ryan”, 17 May 2021, RTÉ.
  6. P Reynolds,“'Wizard Spider': Who are they and how do they operate?”, 19 May 2021, RTÉ.
  7. Who We Are, What We Do”,
  8. What we know so far about the HSE cyber attack”, 15 May 2021, RTÉ.
  9. N O'Connor, “HSE ransomware attack began on a single computer when an employee clicked on a link”, 20 May 2021,
  10. 10.0 10.1 10.2 10.3 10.4 Irish cyber-attack: Hackers bail out Irish health service for free”, 21 May 2021, BBC News.
  11. Cyber-crime: Irish health system targeted twice by hackers”, 16 May 2021, BBC News.
  12. Covid-19 jabs to go ahead in Ireland despite cyber attack”, 15 May 2021, BBC News.
  13. Health service disruptions”,
  14. A Cox, “HSE disruption will 'go well into this coming week' - Henry”, 16 May 2021, RTÉ.
  15. 2. If you are affected by a data breach”,
  16. G Lee, “HSE says stolen sensitive data of 520 patients on dark web”, 28 May 2021, RTÉ.
  17. P Reynolds, “State did not pay ransom for decryption key - Donnelly”, 20 May 2021, RTÉ.
  18. 18.0 18.1 T Meskill, “Three quarters of HSE IT servers decrypted”, 23 June 2021, RTÉ.
  19. B Hutton, J Bray, “HSE may be impacted for six months by cyberattack, says Reid”, 16 June 2021, The Irish Times.