Insights | Integrity360

HSE ransomware attack

Written by The Integrity360 Team | 14 May 2021 11:01:42 Z

Last Updated: 17/05/21 12:00

Integrity360 has deployed our Incident Response Team to support a number of clients who may be affected by the ransomware attack widely reported on in Irish media.

Our teams are committed to supporting the wider health community, as well as our clients and advise all organisations of the need to increase vigilance within your own environment in relation to this attack.

The Threat & Impact

The ransomware is believed to resemble “Conti” which is a ransomware tool that has been in operation since at least December 2019, believed to be derived from the “Ryuk” ransomware variant. Conti is often deployed using the “TrickBot” infrastructure. It is designed to be operated by the attacker, rather than via an automated process, and it contains unique features that allow a more targeted and quicker attack. Conti’s ransomware operations have targeted a wide variety of sectors globally, which include construction, manufacturing, and retail.
 
The ransomware is believed to be a new variant of Conti, previously unknown by security vendors. Update 17/05/21: The NCSC has observed that the threat actors used is Cobalt Strike. 
 
 

Recommendations

As best practice, Integrity360 would recommend that businesses increase vigilance of their environment ensuring:
  • firewalls, IDS/IPS and AV solutions are monitored for any malicious activity
  • servers and applications are patched
  • consideration is given to disabling external RDP functionality and SMB
  • AV signature updates which are made available are deployed.

Conti is known to exfiltrate data before attacking so concerned organisations should also review exfiltrated files from the past month as a proactive measure.

Update 17/05/21: The National Cyber Security Centre (NCSC) has issued their advisory on the ransomware attack which details the background, response and remediation efforts in detail. They also outline the assessment of the variant of Conti ransomware in use and the indicators of compromise (IOCs) which have been observed. We advise organisations to take note of these IOCs, also listed below. 
 
We will continue to provide updates, links and resources on this dedicated page as new information comes to light.
 
Should you require assistance relating to the above advisory, please use our contact form for further assistance. As always, Integrity360 Managed Security Service (MSS) customers will already be managed through our proactive security approach.
 
 

Related Information 

 

Indicators of Compromise 

The NCSC have outlined the following indicators of compromise which have been observed related to this incident in their advisory

  • Conti SHA256:
    d21c71a090cd6759efc1f258b4d087e82c281ce65a9d76f20a24857901e694fc
  • Cobalt Strike SHA256:
    234e4df3d9304136224f2a6c37cb6b5f6d8336c4e105afce857832015e97f27a
  • Cobalt Strike SHA256:
    1429190cf3b36dae7e439b4314fe160e435ea42c0f3e6f45f8a0a33e1e12258f
  • Cobalt Strike SHA256: 8837868b6279df6a700b3931c31e4542a47f7476f50484bdf907450a8d8e9408
  • Cobalt Strike SHA256: a390038e21cbf92c36987041511dcd8dcfe836ebbabee733349e0b17af9ad4eb
  • Cobalt Strike SHA256: d4a1cd9de04334e989418b75f64fb2cfbacaa5b650197432ca277132677308ce
  • Filename: _EXE.bat
  • Filename: _COPY.bat
  • Lazagne SHA256: 5a2e947aace9e081ecd2cfa7bc2e485528238555c7eeb6bcca560576d4750a50