Ireland’s Health Service Executive ransomware attack (2021)

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Date On 13 May 2021, Ireland’s National Cyber Security Centre (NCSC) was made aware of potential suspicious activity on the Department of Health (DoH) network[1] and in the morning of 14 May 2021 an attempt to run ransomware was reportedly prevented, with DoH IT systems shut down as a precaution.[2]

At 4 a.m. on 14 May 2021, Ireland’s Health Service Executive was alerted to a separate cyber incident.[3] It was later reported that the hackers had already been in the IT systems for at least a week before they were discovered.[4]

Suspected actor The same cybercrime group is believed to be behind both incidents given that a similar digital note was left on the DoH and the Health Service Executive systems.[5] The group responsible was identified as a criminal gang known as Wizard Spider, believed to be operating from Saint Petersburg, Russia.[6]
Target The Health Service Executive (HSE) – the publicly funded healthcare system in the Republic of Ireland, responsible for the provision of Ireland’s public health services in hospitals and communities across the country.[7] The attack has impacted all of the HSE’s national and local systems, which are involved in all core services.[8]
Target systems Microsoft Windows-based systems
Method A remote access tool known as Cobalt Strike Beacon was detected on the infected systems, suggesting that it was used to move laterally within the environment prior to executing the Conti ransomware payload.[1] The attack started when a single computer stopped working, causing its user (an HSE worker) to reach out for help by clicking on an infected link.[9]
Purpose The attackers most likely aimed at gaining financial profit – the group was reportedly asking the HSE for $20m (£14m) to restore services after the attack.[10] The Irish government insisted it did not, and would not, be paying the hackers.[10]
Result The attack disrupted services at several Irish hospitals. It resulted in a near complete shutdown of the HSE’s national and local networks, forcing the cancellation of many outpatient clinics and healthcare services.[11] The number of appointments in some affected areas dropped by up to 80%.[10]

HSE workers had to continue with paper records[10] and they were unable to access e-mail.[12] However, hospital emergency departments remained open, the national vaccination programme against Covid-19 was not affected and the testing system also remained fully capable and operational.[13]

Personal and medical information of patients and HSE staff was accessed in the attack, with a small amount of data (including sensitive information of 520 patients) shared on the dark web.[14][15]

Aftermath The cyberattack on the HSE has been described as the most significant in Ireland‘s history.[16]

On 20 May 2021, the HSE secured a High Court order preventing the hackers (or any individual or business) from sharing, processing, or selling the information stolen during the attack. The court injunction also applies to social media platforms such as Twitter, Google, and Facebook and therefore limits the hackers’ scope for disseminating the stolen data.[10]

On the same day, it was reported that the hackers provided a decryption key that could enable the HSE to recover their IT systems and the files that hackers locked and encrypted.[17]

In reaction to the attack, the HSE announced it would establish a cyber security operations centre to monitor its networks, and implement a full procurement process for the facility.[18]

On 23 June 2021, it was confirmed that at least three quarters of the HSE’s IT servers had been decrypted and 70% of computer devices were back in use.[18] However, it was estimated that it could take up to six months for the HSE systems to fully recover.[19]

Analysed in Scenario 14: Ransomware campaign

Scenario 20: Cyber operations against medical facilities

Collected by: Eva Šípková

  1. 1.0 1.1 National Cyber Security Centre, “Ransomware Attack on Health Sector - UPDATE 2021-05-16”, 16 May 2021.
  2. C. Lally, J. Horgan-Jones, A. Beesley, “Department of Health hit by cyberattack similar to that on HSE”, 17 May 2021, The Irish Times.
  3. What we know so far about the HSE cyber attack”, 15 May 2021, RTÉ.
  4. P Reynolds, “The anatomy of the health service cyber attack”, 23 May 2021, RTÉ.
  5. P Reynolds, “'No sense' other agencies affected by attack - Ryan”, 17 May 2021, RTÉ.
  6. P Reynolds,“'Wizard Spider': Who are they and how do they operate?”, 19 May 2021, RTÉ.
  7. Who We Are, What We Do”,
  8. What we know so far about the HSE cyber attack”, 15 May 2021, RTÉ.
  9. N O'Connor, “HSE ransomware attack began on a single computer when an employee clicked on a link”, 20 May 2021,
  10. 10.0 10.1 10.2 10.3 10.4 Irish cyber-attack: Hackers bail out Irish health service for free”, 21 May 2021, BBC News.
  11. Covid-19 jabs to go ahead in Ireland despite cyber attack”, 15 May 2021, BBC News.
  12. Health service disruptions”,
  13. A Cox, “HSE disruption will 'go well into this coming week' - Henry”, 16 May 2021, RTÉ.
  14. 2. If you are affected by a data breach”,
  15. G Lee, “HSE says stolen sensitive data of 520 patients on dark web”, 28 May 2021, RTÉ.
  16. Cyber-crime: Irish health system targeted twice by hackers”, 16 May 2021, BBC News.
  17. P Reynolds, “State did not pay ransom for decryption key - Donnelly”, 20 May 2021, RTÉ.
  18. 18.0 18.1 T Meskill, “Three quarters of HSE IT servers decrypted”, 23 June 2021, RTÉ.
  19. B Hutton, J Bray, “HSE may be impacted for six months by cyberattack, says Reid”, 16 June 2021, The Irish Times.