Security News > 2021 > December > Irish Health Service ransomware attack happened after one staffer opened malware-ridden email

Issued today, the report from PWC said that the hugely harmful Conti ransomware infection was caused because of the simplest attack vector known to infosec: spam.

Even worse, PWC said HSE personnel had spotted the WizardSpider crew behind the infection operating on HSE networks - yet "These did not result in a cybersecurity incident and investigation initiated by the HSE".

PWC also said that the WizardSpider criminal crew who pwned the HSE probably "Exploited an unpatched known vulnerability" to gain access to the HSE's Active Directory domain.

HSE chairman Ciarán Devane said in a canned statement today: "It is clear that our IT systems and cybersecurity preparedness need major transformation. This report highlights the speed with which the sophistication of cyber-criminals has grown, and there are important lessons in this report for public and private sector organisations in Ireland and beyond."

In a five-day timespan during early May 2021, WizardSpider had compromised systems in five separate hospitals, pwning a further three by 12 May. Although the hospital's internal security team were notified by its external "Cybersecurity solutions provider" to unusual alerts, not enough action was taken before WizardSpider deployed their main Conti ransomware payload on 14 May. We saw, we came, we conquered.

Despite that hospital telling the central HSE team they had identified suspicious activity on two HSE servers, the HSE "Incorrectly concluded in an email between the HSE teams that the suspicious activity originated from Hospital A, rather than the other way round."

News URL

https://go.theregister.com/feed/www.theregister.com/2021/12/10/ireland_health_conti_ransomware_attack_report/