NZ firm helps Irish health service recover from ransomware attack | #malware | #ransomware

Authorities in Ireland have turned to a tool provided free-of-charge by Nelson-based cyber-security company Emsisoft to help the Irish health service recover from a devastating ransomware attack.

Emsisoft has also offered to provide free help to Waikato DHB which has experienced a similar cyber attack, although in the DHB’s case it is less clear what assistance it could immediately provide and it has yet to hear back on its offer.

The Irish Times reported that Ireland’s National Cyber Security Centre (NCSC) was assessing a tool offered by Emsisoft which might be able to restore the systems of the country’s health service, HSE, faster and more safely.

A tweet from Brian Honan, a director of Ireland’s not-for-profit computer emergency response team, Iriss-Cert, indicated Emsisoft’s tool was now in use there.

* Waikato DHB prepares for working week with cyber attack hangover
* Training needed to help staff identify suspect emails, tech company says
* DHB attackers likely to threaten to release patient health records, says expert

HSE’s hospital computer systems were crippled on May 14 by ransomware known as Conti, in what has been described as the most serious cyber-attack in Ireland’s history.

A gang purporting to be behind the attack last week offered HSE a “free” tool to clean up its systems after earlier reportedly demanding a US$20m (NZ$27.8m) ransom which HSE said it would not pay.

The Irish Times reported the tool provided by the gang was flawed and “buggy”.

Hackers can embed new malware in the tools they sell by ransom to clean-up attacks.

The newspaper reported that authorities had concluded restoring HSE’s systems using the hackers’ tool would probably take weeks and it might be quicker to instead manually restore them from back-ups.

St Luke's Hospital in Dublin is one of numerous hospitals in Ireland that may benefit from free help from a Nelson firm.


St Luke’s Hospital in Dublin is one of numerous hospitals in Ireland that may benefit from free help from a Nelson firm.

It is hoped Emsisoft’s tool will provide a third, better option.

It enables the decryption key provided by the hackers to be stripped out and instead embedded in the Nelson firm’s own clean-up tool, which the Irish newspaper said might be twice as fast and more stable.

Emsisoft chief technology officer Fabian Wosar told Stuff the company wasn’t involved in the actual recovery process in Ireland “and merely provide the means of decryption”.

“We know that the recovery is progressing quite well, and the first systems in some hospitals are back online,” he said.

“So far, the feedback has been quite positive and, obviously, we are delighted that we can help them and ultimately the Irish people, especially given the continued global pandemic.”

Wosar said that for privacy reasons, Emsisoft would not have commented on the role it was playing if HSE and the Irish authorities hadn’t made that public.

Waikato DHB is believed to be in a different situation from HSE as its attackers do not appear to have provided it with a decryption key that it could use to unlock its files.

That means it is likely to be in the position of trying to restore its systems from whatever back-ups it can be sure were safe from the attack.

A screenshot showing part of the ransom negotiation page on the darknet site of Conti, a Russian-speaking ransomware group, demanding $20 million from Ireland's publicly funded health care system.


A screenshot showing part of the ransom negotiation page on the darknet site of Conti, a Russian-speaking ransomware group, demanding $20 million from Ireland’s publicly funded health care system.

Nevertheless, Emsisoft had offered to assist the DHB, Wosar said.

“At the beginning of the pandemic, we committed to provide any entity that is dealing with or is related to healthcare, whether it is a public or private entity, with our help for free and without any strings attached, and we will continue to do so until the pandemic is over,” he said.

“So if Waikato get their hands on the threat-actor decryption tool … we will gladly provide them with the same service we offered to HSE.”

The company had been trying to reach out to the DHB and authorities dealing with the incident, but hadn’t heard back yet, he said.

Emsisoft threat analyst Brett Callow said Emsisoft was also sometimes aware of bugs in ransomware programs that it could use to neutralise them.

But a snag was that it couldn’t advertise those capabilities, as “if the criminals knew we were exploiting a bug to break their encryption, they’d fix it”.

Callow said that had led to some frustrating situations, but also some successes.

“A US city got its data back for free because an employee leaked the ransom note onto Twitter.

“We saw it and contacted the city. Had it not been for that, they’d have paid. Their production data was encrypted and their backups had been deleted.”

But Wosar said that, unfortunately, the Conti ransomware that has crippled healthcare providers and others did not have any significant cryptographic flaws.

“So the availability of the threat-actor decryption tool is a requirement for us to do our job.”

Despite that, Callow has been a vocal proponent of making it illegal for organisations to pay or facilitate the payment of ransoms to get such keys – a suggestion so far rejected by Justice Minister Kris Faafoi.

The current state of affairs was not “a war” between ransomware attackers and defenders, but rather “a feeding-frenzy” for cyber-criminals, Callow said.

Original Source link

Leave a Reply

Your email address will not be published.

+ 3 = ten