Security News > 2021 > December > Irish Health Service ransomware attack happened after one staffer opened malware-ridden email
Issued today, the report from PWC said that the hugely harmful Conti ransomware infection was caused because of the simplest attack vector known to infosec: spam.
Even worse, PWC said HSE personnel had spotted the WizardSpider crew behind the infection operating on HSE networks - yet "These did not result in a cybersecurity incident and investigation initiated by the HSE".
PWC also said that the WizardSpider criminal crew who pwned the HSE probably "Exploited an unpatched known vulnerability" to gain access to the HSE's Active Directory domain.
HSE chairman Ciarán Devane said in a canned statement today: "It is clear that our IT systems and cybersecurity preparedness need major transformation. This report highlights the speed with which the sophistication of cyber-criminals has grown, and there are important lessons in this report for public and private sector organisations in Ireland and beyond."
In a five-day timespan during early May 2021, WizardSpider had compromised systems in five separate hospitals, pwning a further three by 12 May. Although the hospital's internal security team were notified by its external "Cybersecurity solutions provider" to unusual alerts, not enough action was taken before WizardSpider deployed their main Conti ransomware payload on 14 May. We saw, we came, we conquered.
Despite that hospital telling the central HSE team they had identified suspicious activity on two HSE servers, the HSE "Incorrectly concluded in an email between the HSE teams that the suspicious activity originated from Hospital A, rather than the other way round."
News URL
Related news
- Massive PSAUX ransomware attack targets 22,000 CyberPanel instances (source)
- North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack (source)
- North Korean govt hackers linked to Play ransomware attack (source)
- City of Columbus: Data of 500,000 stolen in July ransomware attack (source)
- Columbus, Ohio, confirms 500K people affected by Rhysida ransomware attack (source)
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- Halliburton reports $35 million loss after ransomware attack (source)
- New Ymir ransomware partners with RustyStealer in attacks (source)
- New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks (source)