Security News > 2021 > December > Irish Health Service ransomware attack happened after one staffer opened malware-ridden email
Issued today, the report from PWC said that the hugely harmful Conti ransomware infection was caused because of the simplest attack vector known to infosec: spam.
Even worse, PWC said HSE personnel had spotted the WizardSpider crew behind the infection operating on HSE networks - yet "These did not result in a cybersecurity incident and investigation initiated by the HSE".
PWC also said that the WizardSpider criminal crew who pwned the HSE probably "Exploited an unpatched known vulnerability" to gain access to the HSE's Active Directory domain.
HSE chairman Ciarán Devane said in a canned statement today: "It is clear that our IT systems and cybersecurity preparedness need major transformation. This report highlights the speed with which the sophistication of cyber-criminals has grown, and there are important lessons in this report for public and private sector organisations in Ireland and beyond."
In a five-day timespan during early May 2021, WizardSpider had compromised systems in five separate hospitals, pwning a further three by 12 May. Although the hospital's internal security team were notified by its external "Cybersecurity solutions provider" to unusual alerts, not enough action was taken before WizardSpider deployed their main Conti ransomware payload on 14 May. We saw, we came, we conquered.
Despite that hospital telling the central HSE team they had identified suspicious activity on two HSE servers, the HSE "Incorrectly concluded in an email between the HSE teams that the suspicious activity originated from Hospital A, rather than the other way round."
News URL
Related news
- New Brazilian-Linked SambaSpy Malware Targets Italian Users via Phishing Emails (source)
- Hackers deploy AI-written malware in targeted attacks (source)
- AutoCanada says ransomware attack "may" impact employee data (source)
- N. Korean Hackers Deploy New KLogEXE and FPSpy Malware in Targeted Attacks (source)
- New RomCom malware variant 'SnipBot' spotted in data theft attacks (source)
- Microsoft Identifies Storm-0501 as Major Threat in Hybrid Cloud Ransomware Attacks (source)
- Embargo ransomware escalates attacks to cloud environments (source)
- JPCERT shares Windows Event Log tips to detect ransomware attacks (source)
- Ransomware attack forces UMC Health System to divert some patients (source)
- Microsoft Detects Growing Use of File Hosting Services in Business Email Compromise Attacks (source)