It was last Thursday afternoon when officials at the Department of Health first noticed suspicious activity on their computer systems and contacted the National Cyber Security Agency.
Based at the Department of the Environment on Adelaide Road in Dublin and with a staff of about 30 IT specialists, its job is to manage cyber security incidents across Government and provide guidance and advice to citizens and business on these incidents.
The cyber attack, first on the Department of Health and then the HSE, turned out to be the most serious ever attack on the State's critical infrastructure.
The health infrastructure here had avoided another ransomware attack four years ago when the WannaCry infected a quarter of a million machines in 150 countries including the UK’s NHS.
The NCSC activated its crisis response procedures and called in an outside commercial specialist IT incident response company.
Investigators found a remote-access tool known as "Cobalt Strike Beacon" on the system, which hackers use to move within computer networks before launching their virus and demanding a ransom - or as it is known in computer parlance "execution of a ransom payload".
Much like a kidnapper inviting someone to drop the money off, the note contained a link with an invitation to "chat" with the criminals on the Darknet with a view to paying a ransom to get the data back.
The Department of Health acted quickly enough to prevent the cyber criminals from detonating their malware, known as Conti, on its systems.
IT specialists were able to detect, through a combination of anti-virus software and the deployment of tools, an attempt to execute ransomware and stop it.
The result is that these systems have not been as badly damaged and should be up and running again sooner.
The HSE, however, was not so lucky.
It first realised it was under attack in the early hours of Friday morning and by that time the criminals had executed their ransom payload.
The malware had been inserted and a digital ransom note had been left for the HSE.
Much like a kidnapper inviting someone to drop the money off, the note contained a link with an invitation to "chat" with the criminals on the Darknet with a view to paying a ransom to get the data back.
The organised cyber crime group behind the two attacks is a highly technically proficient gang of criminals known as ‘Wizard Spider" and has been responsible for several cyber attacks all over the world.
Based in eastern Europe, they are interested not in terrorism or espionage, only money.
‘Wizard Spider’ has been carrying out ransomware attacks against a variety of organisations, state bodies, commercial corporations, healthcare facilities and hospitals since at least August 2018.
They have made millions from ransom demands and are a target of the FBI, the UK’s National Crime Agency, Interpol, Europol and now the Garda National Cyber Crime Bureau.
A document published online claiming to show the gang wanted $20m has been dismissed by those who are dealing with ‘Wizard Spider’ as "nonsense".
The gang is looking for millions to enable the HSE and the Department of Health to retrieve the data that has been lost, but the Government insists Ireland will not pay.
The damage however will cost millions.
The attack has badly damaged the HSE and the health services.
NCSC is now on the lookout for further attacks to other networks.
It has had to shut down its systems and bring in specialists to carefully go through each part of its network, step by step, find the malware, block malicious IPs and domain names, protect privileged accounts, clean, rebuild and update all infected devices, ensure antivirus software is up to date on all systems, makes sure all devices are patched and ultimately restore the data.
It is a slow and complicated process and will take weeks, if not months, to complete. One specialist explained: "Move too quickly and you let them back in."
The HSE and the Department of Health are now responsible for rebuilding their own systems. The National Cyber Security Agency is providing support and assistance to both in responding and recovering from the incident.
But in the words of one computer specialist, they are now "wounded sheep" and the NCSC is moving onto the greater threat.
NCSC is now on the lookout for further attacks to other networks. It has issued advice and warnings to other Government departments, statutory and voluntary organisations and commercial companies.
It is analysing the nature of this attack and has gathered information not only about who was responsible but what tools and techniques they used.
The NCSC knows how long the cyber criminals have been in the systems because it has found their digital footprints but it still does not know however how they got in; was it through a back door security weakness or did someone click on a link and let them in?
The Garda Cyber Crime Bureau is in charge of the criminal investigation and is liaising with Europol and Interpol. While they may identify individuals within the gang responsible, they are most likely to be in countries beyond the reach of this jurisdiction.
The gang members may be put on "no fly" and international watch lists which would confine them to their own countries but that is unlikely to deter them and it is unlikely that any of them will be brought to justice here.