No ransom has been paid by the Irish State in order to secure a decryption key to unlock Health Service Executive and Department of Health data stolen during a ransomware attack, the Minister for Health has said.

The organised cyber crime group behind the attack has provided the decryption key, which is now being checked by the commercial IT specialist company employed by the HSE, but there is some evidence that it works.

The decryption tool may be able to unlock the data that was disabled by the ransomware, but it will not be utilised on HSE systems until the IT specialists are certain it does not contain any other malware or will not further damage the systems.

This is expected to take a few days as it will have to be first tested on virtual systems.

However the organised cyber crime group still have the stolen data and can still put confidential patient information and medical records into the public domain and sell it on to other criminals for extortion and blackmail.

Minister for Health Stephen Donnelly said no ransom has been paid by the State in order to secure the key.

The National Cyber Security Centre and gardaí believe the organised crime group behind the attack is known as 'Wizard Spider' and is based in and around St Petersburg in Russia.

It primarily uses three types of ransomware - Trickbot, Ryuk and Conti.

Conti is the ransomware used to attack the HSE and the Department of Health.

A message online purporting to be from the Conti ransomware gang posted this afternoon says "we are providing the decryption tool for your network for free but you should understand that we will sell or publish a lot of private data if you will not connect us and try to resolve the situation."

Law enforcement agencies say cyber crime gangs often offer their victims a decryption key as proof of what they have done and because it is the data that is the valuable asset.

Some also suggest the criminals may have been put under some pressure in their own country or countries because of the damage they have done to the health service here, in particular to hospitals and clinics caring for children, cancer patients, elderly and seriously ill patients.

The Government has already been in contact with the Russian authorities about the cyber attack and the damage it has done to the health service.

A spokesman for the HSE said they were aware of the report but said their sole focus remains on restoring service.

The NCSC and the Garda National Cyber Crime Bureau are now conducting an international investigation into the attack.

They are liaising with law enforcement agencies abroad including the FBI, the UK National Crime Agency, Interpol and Europol and working closely with the Europol cyber crime agency.


HSE secures injunction against sharing of stolen data


Russian ambassador calls for criminals to be brought to justice

The Russian Ambassador to Ireland has described the cyber attack on the HSE as a hideous criminal attack and said that this kind of activity - Russian or otherwise - is illegal and its perpetrators should be brought to justice.

Speaking on RTÉ's Drivetime, Yuri Filatov said that they have offered their assistance to the Irish Government and have suggested that there be a joint effort to investigate the incident.

He said certainly he is not privy to the ongoing developments about the decryption key, but his whole attitude is that this is a heinous criminal attack which should be condemned and he does that.

Asked whether the Irish Government has asked for Russia's assistance in this regard, Mr Filatov said the subject had been touched upon in a very recent conversation.

Earlier this week, Minister for Foreign Affairs Simon Coveney and his Russian counterpart Sergey Lavrov discussed the issue during a scheduled call regarding UN Security Council business.

He said the offer has been made from their side and that it was on the table.

It was up to the Irish authorities to decide if that is the way to deal with the situation which he described as very difficult and serious, he said.

He also said that if they were talking about a Russian based criminal group they would be very interested in joining the investigation since they were hunting these people all along.

Attack 'catastrophic' for health system - Reid

Earlier the Chief Executive Officer of the HSE has said that the impact of the cyber attack on the health services is "quite grave" in the immediate term.

Speaking at the latest HSE briefing, Paul Reid said the attack was "catastrophic" on the health system, and a "stomach-churning criminal act".

Mr Reid also said that the act was an attack on humans, carried out by people against people, against some of the most vulnerable in our society.

He said it was "a callous act" and an attack on healthcare workers, who have worked relentlessly for 15 months, many making personal sacrifices and taking risks.

The attack came after the first quarter of 2021 which involved "three of the most challenging months for the health system" in Ireland, because of the Covid-19 surge.

"The impact is quite grave in terms of the impact on our services," he said, adding that appointments have been cancelled, and simple everyday communications between medics, to allow them to access information and make decisions, can't be made.

Mr Reid said the work to undo the damage caused by the ransomware attack is "not a short sprint" but will involve working against a "sustained impact" over the coming weeks.

"Our primary focus is striving to provide the health services for those who are in immediate and highest risk," he said.

Health services generally are about balancing risks every day, he said, and the impact of this cyber attack shifts the balance "not in our favour", so it does increase the risks to the system, he said.

"Our response has been immediate, it's been comprehensive and will continue to be relentless," Mr Reid said, adding that they have secured the full support of the state agencies, as well as "the best of the best" of Irish technology services, since last Friday.

There are over 2,000 different systems used by the health service, he said, with over 4,500 servers providing information.

"It’s a very complex legacy network, in many cases, a function of the healthcare systems of the past, and a web of very interconnected servers and networks."

He said the immediate response is to prioritise patients and services, and the HSE is currently in the assessment phase, "to understand the impact across the network".

Repairing the damage done to the HSE's systems following the ransomware attack is "in essence the rebuilding of a legacy network of 30 years," Mr Reid said.

Hospitals which have the capacity to stand alone within their own systems have been prioritised, he said, "to carry out those services within their own hospital".

Mr Reid praised the "inspirational response" from teams within the HSE: "If there's anything that shines above such a criminal act, it's the immediate response of our own teams right across the health service. Our frontline teams immediately began concentrating on workarounds, and on their patients."

Paul Reid said he could not confirm that patient data has been leaked online but said it is not unusual and not unexpected that there is a threat to publish.

He also said if members of the public suspect that they may have been targeted, then they should contact the gardaí immediately.

He also said the HSE has had no direct engagement with the hackers.

'Actions were taken' in cyber protection

Cyber-crime organisations are always trying to stay "a step above" the security systems being put in place by organisations like the HSE, according to Paul Reid.

He said that €300 million has been invested in capital infrastructure in the HSE systems in recent years, with about €82 million of that "related specifically to the core network".

This is as a result of reports initiated by the HSE regarding risks to the system.

When the ransomware attack happened last week, a message was left on the HSE's servers. "The double extortion method," Mr Reid said. At this point, they handed over to the national cyber-security centre, and the gardaí.

"We've had no direct engagement, that's fact," Mr Reid said in reply to a question on whether there had been engagement with the cyber-criminals.

Paul Reid said it is going to take "at least a week" to assess where exactly in the HSE's systems the cyber-crimials managed to gain access.

There are up to 150,000 access points in the network, he said.

"It can be as simple as an email, clicking on an attachment to an email, that's a proven way of getting in," Mr Reid said, adding that it could also be by using login credentials, or a combination of a range of such factors.

"We haven’t got confirmation of that. We have plenty of suspicions... but we haven’t fully determined that as of yet. We can determine that there have been many access points of vulnerability but haven’t determined what is the single point of failure for entry."

Mr Reid said that the entire Irish health system needs to move into "an integrated technology system".

There are debates, and have been debates, he said about how secure networks are if they move to a cloud-based system. "These are difficult choices. Moving to the cloud has risk-based judgements as well."

Some parts of the health service, such as the traditional voluntary hospitals, have been more "resilient" than others, which rely on a central network system, he said.

"It's easier to look back with hindsight," he said when asked about risk assessments. There’s no doubt the more money invested in capital infrastructure, in renewing our networks, in protecting our networks, the better."

However, like everything else, there are "difficult trade-offs to be made" in health spending, he said.

Addressing the issue of a ransom demand from the hackers, Mr Reid said: "Paying a ransom is a race to the bottom."

"What you are doing, paying ransoms, is increasing the capacity and capability of criminal organisations." This would further stretch state resources, he said.

"But ultimately from a HSE perspective, they are issues for government and government policy."

Mr Reid said he was not aware, as reported in some media, that the gang have said they will publish some of the stolen data on Monday.

Asked if the impact of the attack would result in missed or delayed diagnosis or even death, Dr Colm Henry said that the situation certainly made healthcare riskier.

HSE Chief Operations Officer Anne O'Connor said the HSE was aware of reports from GPs that they were getting anonymous calls saying they had patient data.

Mr Reid said there is no doubt that other criminals are using this attack as an opportunity to attempt fraud on people.

He urged the public not to give out PPS numbers or any other confidential information to people purporting to be from the HSE over the phone.

Additional reporting Conor Hunt