HSE Ransomware Actors’ Infrastructure Disrupted by Irish Authorities

• The Irish cybercrime police have identified and seized several domains used by Conti to support their ransomware attacks.
• This should create a momentary disruption in the operations of the notorious ransomware gang.
• The actors haven’t been identified yet, but the Irish police say they are making good progress on that front.

It’s been several months since the Irish Health Service (HSE) was crippled by an attack launched by the ‘Conti’ ransomware group, but the aftermath is still underway. As RTE reports now, Ireland’s Garda National Cyber Crime Bureau has seized several domains used in the HSE incident as well as other similar ransomware attacks, significantly disrupting the actor’s operations.

Now, if any victims visit any of these domains, they will see a notice from Ireland’s National Police and Security Service informing them that they may have been compromised by ransomware actors and giving them some pointers on what measures to follow.

This is not only a retaliation move against Conti but also one of actively preventing similar attacks on other valuable organizations in the country. When the HSE was hit in May 2021, national hospitals had to adopt medical practices that go many decades back, like passing handwritten notices around instead of relying upon central patient information database systems.

The health services were severely disrupted as a result, thousands of appointments were canceled, and providing medical care to patients had to be postponed. Eventually, the actors handed over the decryption key to the HSE for free as they realized they wouldn’t get the tens of millions they demanded as ransom and probably had some ethical reservations along the way.

The ‘Garda’ also mentions the valuable help of its partners at Europol and Interpol, who have helped them with the process of identifying and taking down the domains in question. As the agency points out, to date, a total of 753 attempts were made by potentially compromised systems to connect to these domains. This gives us a rough idea of the size of the Conti operations, a ransomware group that remains very active despite the various re-arrangements that took place in the field.

It will be interesting to see how Conti responds to that now, but in general, it is unlikely that they’ll have any trouble moving to new infrastructure. We have checked the group’s Tor portal where victims are extorted, and it’s currently online without any notice about the ‘Garda’ seizures. Also, there are six posts in September alone, so the group remains alive and well, and the most recent reports give details about the hackers targeting Exchange services with ProxyShell exploits.

The Irish police have stated that they will continue the investigation into uncovering those responsible for the HSE attacks and claim they are making steady progress on that front but can’t share many details about it.