Sign in. It’s quick, free and it’s up to you.
An account is an optional way to support the work we do. Find out more.
HEALTH MINISTER STEPHEN Donnelly said this morning that there are “positive” signs that a decryption tool provided to the HSE may help unlock its IT systems.
The HSE shut down its IT systems last Friday after it became aware of a significant ransomware attack, with widespread disruption across the health service as a result.
Donnelly said it’s “not clear” why the decryption tool has been made available but that it was made available on a website linked to the criminal gang involved in the hack.
He also reiterated “categorically” that no ransom had been paid by the government in relation to the hacking.
“I can tell you and your listeners categorically that no ransom has been paid by this government directly, indirectly, through any third party or in any other way. And nor will any such ransom be paid,” he told Morning Ireland.
What is a decryption tool?
Essentially, what the cybercriminals have done is encrypted the HSE’s data and sought a ransom believed to be close to €15 million.
They claim to have accessed some 700 gigabytes of data including patients’ home addresses and other personal details.
Encrypting data usually jumbles it up in a way that makes it inaccessible, with a decryption tool then providing a way of accessing it.
Speaking to The Journal, Chief Information Security Officer at Stryve Paul Delahunty said that, if an encryption is strong, it could be “next to impossible” to break it without a decryption tool.
He cautions that, when such a tool is provided, the victim of the hack would be hoping it’s the same tool for all the files.
If this is not the case, he explains that you may still be able to access all the files but that it could take some time.
If they’re really clever, they may use different keys for different files and make it really complicated. What you can do, if you’ve got backups that are uncorrupted, and you’ve got the same file but the encrypted version of it, these tools can work to see if they can find the key that translates one into the other. The phrase around it is that you’ve got a ‘known plaintext’.
Wouldn’t it be dangerous to use a decryption tool that was provided by the criminals?
Absolutely, and this is why HSE tech teams have been proceeding cautiously after receiving the decryption tool.
The HSE said last night that “investigations would have to be completed” before it is used, with Donnelly saying today that tech teams were “testing it”.
In practice, this would mean first testing the decryption tool on isolated systems.
Even then, Delahunty says it’s not a case of “just rolling it out across the system”. He explains that it would have to be done “piece by piece…. making sure as they bring things back online that everything is okay.”
We’ve even got a recent public example of a decryption tool not working in the way that it should.
Earlier this week, US company Colonial Pipeline admitted paying $4.4 million in a ransom to Russian hackers for a decryption tool that didn’t resolve the issue.
After making the ransom payment on the night of 7 May, Colonial Pipeline received a decryption tool from the hackers but the tool so slow and unreliable that the company had to revert to restoring from their backups anyway.
The hack caused huge issues for the largest fuel pipeline system in the United States and the company justified paying the ransom on that basis, saying it was “the right thing to do for the country”.
But assuming the decryption tool does work, why would the hackers send it on without getting a ransom?
While it’s impossible to know for sure, there are a number of possible reasons.
The first being that the hackers have realised they will not get a ransom anyway.
As evidenced in the case of Colonial Pipeline, cybercrime gangs more commonly target companies where a ransom is perhaps more likely to be paid.
Brian Honan, cybersecurity expert and CEO of BH Consulting, said this was his theory.
My analysis would be that the criminals realised they were not going to get paid the ransom to release the decryption keys. The HSE also seemed to be making progress in manually restoring their systems, so the bargaining power for the criminals from this aspect of their extortion was weakening daily.
“So, by releasing the keys they have recast the issue to focus on the threat to publish the data, while perhaps showing the criminals in a more benevolent light”
“Another reason may be the criminals realised they bit of more than they could chew by taking down a nation’s health services and the repercussions of that, I am sure not many outside Ireland realise what the HSE is and how critical it is.”
Delahunty agrees, saying that the gang might want to take the focus off themselves while also accepting that they have already secured valuable personal data.
It’s already been confirmed that patient data from the hack has appeared on the dark web and the HSE is warning people to be wary of potential scams.
We’d like to remind people to remain alert to potential frauds. The HSE will not contact you seeking personal information or to ask for payment. pic.twitter.com/J0JKV8Vzzp
— HSE Ireland (@HSELive) May 21, 2021
“Maybe there’s a little bit of a sense of let’s take a little bit of heat off ourselves because we’re not really relying on the ransom. We have the data we can sell that on the dark web,” Delahunty says.
“So, it’s not a case of they don’t get their payday. They can get an even better payday by selling it off piecemeal on the dark web. Information about health is so so valuable.”
On this week’s episode of The Explainer we look at the impact of the HSE cyber hack:
The Explainer / SoundCloud
To embed this post, copy the code below on your site
“US company Colonial Pipeline admitted paying $4.4 million in a ransom”. Americans, especially those in the private healthcare sector, who pay the criminals are a big part of this problem. Make it a crime to pay the criminals and this will stop very quickly.
@Earth Traveller: that would meen it would be an offence to pay taxes.
Im with ya
@Earth Traveller: lol boy. You make it sound SO simple!! who’d have guessed it would be so easy to stop cyber crime! I’m sorry but that is an unbelievablely naive way of thinking. I agree that paying ransoms doesn’t help. But not paying them won’t stop it “very quickly” they’ll just sell the information to people who will pay for it. These guys will always profit in some way. They won’t just give up and go home if companies refuse to pay.
Its a conspiracy theory but im thinking our seat on the UN security Council has something to do with this. Come on like.. a Russian state sponsored cyber attack suddenly fixed. I wonder what favours we gave away.
@Bernard McWilliams: You’re right about one thing Bernard, it is a conspiracy theory. What have we got that could possibly interest Putin, I doubt he could even find us on a map.
@Justin Gillespie: I admit, I might be watching too much House of Cards. haha. But to answer your question briefly, we have Influence and voting power on key issues that concern Russian powerplays in global political theatre.
@Bernard McWilliams: Not convinced Bernard, if there was real power there we wouldn’t be let anywhere near it. Ireland is window dressing nothing more.
@Bernard McWilliams: another few hundred houses to rent for the ruskies
@Justin Gillespie: Your probably right Justin. For the movie Im thinking Jason Statham as Stephen Donnelly who’s hell bent on knocking the heads off Demetri and the gang, of course helped by Tony Holohan (played by Bruce Willis) Haha. Ive too much time on my hands…gd luck!
Pay them of you haven’t already and invest in good IT system for crying out loud.
I’d say other departments are scrambling to secure their systems
@Tom Ripley: did you read the article Tom? The hackers have given up on the ransom as they realised they weren’t going to get it. They’ve handed over the decryption tool that the ransom was meant to pay for.
@AL:
except the doxxware side of it
@Ixtrix Net: sorry I’ve no idea what that is unfortunately
@AL: doxxware is where an attacker exfiltrates (super sneakily steals) sensitive data from your computer systems then tries to Ransom said senstive data back to you. In other words give us money or all this super confidential data you have gets auctioned off on the darkweb to the highest bidder.
@AL: well if you believe the minister on this… Why hand it over they have gov over a barrel and they locked them in first place I don’t think good conscience won over Russian cyber criminal. They don’t seem the type to cave in so easily
@AL: I think the order to give the key came from higher up in Russia, none of these guys operate without state approval, that why they don’t operate in Russia.
@Tom Ripley: should hire them to fix our IT system.
@Pat Casey: I agree. Putin let’s these gangs operate and can stop them when he wants too. We saw that during the world cup there when there was no trouble with their local hooligans. My guess is that after Simon Coveney spoke to their foreign minister Lavrov a call was put in to the the hackers to restore the HSE network. Ireland is no enemy of Russia. The hackers can still make money from the stolen data.
@AL: the article does not say that the gang has given up on the ransom, that is mere speculation. Giving a decryption key is irrelevant. The gang has medical data on tens of thousands of people. That’s where the money is and I imagine down the line that the government will pay for the return of this data and an assurance that no further files will be sold.
Put aside how we got the decryption tool, even if this is rolled out and it takes a week to unencrypt everything we still have a problem. Can we trust the data now? No. Is every PC on the network clean? Again, no. So the data has to be restored to a point in time when everyone is confident there was no incursion, that could be several weeks and there will be some loss. Every PC will have to be examined, and maybe destroyed and replaced. It will be costly.
@Arch Angel: We have Google, Microsoft, Apple and Amazon who all make secure safe Cloud hosting tech. They are all based here and they I’m sure would sort us out in return for all those cosy tax brakes. All the tech giants are here. Once we get the data back and decrypted we could get the situation under control very easily.
Maybe Putin told them not to fu(k with the Irish!
@Jim Carolan: Too much heat with this one, an entire country now knows of this group.
@Jim Carolan: Indeed, the have heard about the FCA.
My guess is that the ransom is already paid.
The encryption tool was handed over the night the attack came to light. They announced their presence and gave the encryption tool as proof that what they were saying was true. It only came as a government announcement yesterday but they’ve had it all along. The ransom is so they won’t publish/release/sell the data they had already collected before they ever made themselves known.
@Louise Fleming: You want us to click a link in an article about a hacking scam?
@Daniel Kelly:
@Daniel Kelly:
@Daniel Kelly:
@Daniel Kelly:
@Daniel Kelly:
@Daniel Kelly:
Here lads, pull the other one
They wanted Data, not Deaths. They have the data. Now, if ransom is paid that data sill NOT be published on dark web. But by providing the Key they feel they might be preventing patient deaths and the ensuing possibility of murder charges down the road.
Anyone else feel a little uneasy about this goodwill decryption key?
Paying d ransom may get u d files back,but you’re dealing with crooks who’ll have made copies & sold them on d dark web.D HSE need 2 update the firewalls on their servers & the best people 2 do that r hackers. They think like ransomware so know where they’ll try & get into the system.
I got one in ALDI its like an Allen key only its star shaped ..wonder how much they will get for that x-ray of that ball bearing I swallowd..
Malware as a service. These gangs rely on a multitude of other criminal gangs to achieve their crimes. A criminal network if you like. Some of which may not be too happy about the gang taking down the health service and causing possible deaths. They’ve been getting quite a bit of stick on the dark web in relation to this breach. Honour amongst thieves and all that jazz. So it seems they’ve decided to release the key and focus on the extortion of money for non release of data. A much more noble pursuit !!!
have your say