{
	"id": "af8a63b9-09b9-44b6-bbc0-188dfd3468dc",
	"created_at": "2026-04-06T00:12:42.657763Z",
	"updated_at": "2026-04-10T03:36:11.031858Z",
	"deleted_at": null,
	"sha1_hash": "1dcfeaee4dbc9a918b47cbbc7045dd9caedb515e",
	"title": "Conti ransomware also targeted Ireland's Department of Health",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1982112,
	"plain_text": "Conti ransomware also targeted Ireland's Department of Health\r\nBy Sergiu Gatlan\r\nPublished: 2021-05-17 · Archived: 2026-04-05 20:56:47 UTC\r\nThe Conti ransomware gang failed to encrypt the systems of Ireland's Department of Health (DoH) despite breaching its\r\nnetwork and dropping Cobalt Strike beacons to deploy their malware across the network.\r\nOn the same day, Conti operators breached the network of Ireland's Health Service Executive (HSE), the country's publicly\r\nfunded healthcare system, and forced it to shut down all IT systems to contain the incident.\r\n\"The National Cyber Security Centre (NCSC) became aware on Thursday of an attempted cyber attack on the Department of\r\nHealth,\" the Irish  Department of the Environment, Climate and Communications said.\r\nhttps://www.bleepingcomputer.com/news/security/conti-ransomware-also-targeted-irelands-department-of-health/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/conti-ransomware-also-targeted-irelands-department-of-health/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"This attempted attack remains under investigation, however there are indications that this was a ransomware attack similar\r\nto that which has affected the HSE.\"\r\nRansomware execution blocked\r\nIn a separate security advisory [PDF], NCSC provided more technical details on the attack and confirmed the link between\r\nthe two incidents saying that the two \"attacks are believed to be part of the same campaign targeting the Irish health sector.\"\r\nThe NCSC was alerted of potentially suspicious activity on the Department of Health's network on Thursday afternoon. \r\nInvestigators discovered Cobalt Strike beacons deployed on the network, a tool commonly used by ransomware gangs to\r\ndeploy their malicious payloads and encrypt systems across the network.\r\nThe next day, at 07:00 AM, a human-operated Conti ransomware attack disabled some of HSE's devices, forcing the health\r\nservice to shut down its entire IT infrastructure to limit the impact.\r\nAround the same time, a second Conti attack attempting to execute ransomware payloads to encrypt the systems of Ireland's\r\nDepartment of Health was blocked by anti-virus software and the tools deployed by investigators the day before.\r\n'The Department of Health has implemented its response plan including the suspension some functions of its IT system as a\r\nprecautionary measure,\" the Irish government added.\r\nThe NCSC also confirmed BleepingComputer's report that the ransomware sample used during these attacks appends the\r\n.FEEDC extension to encrypted files.\r\nThe NCSC also shared indicators of compromise [PDF] linked to the Conti ransomware attack on Ireland's health systems.\r\nConti HSE ransom note\r\nHSE will not pay Conti's $20 million ransom\r\nAfter the HSE ransomware incident, the Conti gang claimed to have had access to HSE's network for over two weeks and\r\nthat they were able to steal 700 GB of unencrypted files, including employee and patient info, financial statements, payroll,\r\ncontracts, and more.\r\nThey also said that HSE would need to pay a $19,999,000 ransom for Conti to delete all the stolen data from their servers\r\nand provide a decryptor.\r\nhttps://www.bleepingcomputer.com/news/security/conti-ransomware-also-targeted-irelands-department-of-health/\r\nPage 3 of 4\n\nEven though the incident has led to widespread disruption affecting Ireland's healthcare services, Taoiseach Micheál Martin,\r\nthe Prime Minister of Ireland, said that the HSE would not be paying any ransom.\r\nConti ransomware's demands\r\nConti ransomware is a private Ransomware-as-a-Service (RaaS) operation believed to be run by a Russian-based cybercrime\r\ngroup known as Wizard Spider.\r\nConti shares code with the notorious Ryuk Ransomware, whose TrickBot-powered distribution channels they took over after\r\nRyuk activity dwindled around July 2020.\r\nPreviously, Conti ransomware hit the Scottish Environment Protection Agency (SEPA), leaking roughly 1.2 GB of stolen\r\ndata on their dark web leak site.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/conti-ransomware-also-targeted-irelands-department-of-health/\r\nhttps://www.bleepingcomputer.com/news/security/conti-ransomware-also-targeted-irelands-department-of-health/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/conti-ransomware-also-targeted-irelands-department-of-health/"
	],
	"report_names": [
		"conti-ransomware-also-targeted-irelands-department-of-health"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f6f91e1c-9202-4497-bf22-9cd5ef477600",
			"created_at": "2023-01-06T13:46:38.86765Z",
			"updated_at": "2026-04-10T02:00:03.12735Z",
			"deleted_at": null,
			"main_name": "WIZARD SPIDER",
			"aliases": [
				"TEMP.MixMaster",
				"GOLD BLACKBURN",
				"DEV-0193",
				"UNC2053",
				"Pistachio Tempest",
				"DEV-0237",
				"Storm-0230",
				"FIN12",
				"Periwinkle Tempest",
				"Storm-0193",
				"Trickbot LLC"
			],
			"source_name": "MISPGALAXY:WIZARD SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e",
			"created_at": "2024-06-04T02:03:07.799286Z",
			"updated_at": "2026-04-10T02:00:03.606456Z",
			"deleted_at": null,
			"main_name": "GOLD BLACKBURN",
			"aliases": [
				"ITG23 ",
				"Periwinkle Tempest ",
				"Wizard Spider "
			],
			"source_name": "Secureworks:GOLD BLACKBURN",
			"tools": [
				"BazarLoader",
				"Buer Loader",
				"Bumblebee",
				"Dyre",
				"Team9",
				"TrickBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "63061658-5810-4f01-9620-7eada7e9ae2e",
			"created_at": "2022-10-25T15:50:23.752974Z",
			"updated_at": "2026-04-10T02:00:05.244531Z",
			"deleted_at": null,
			"main_name": "Wizard Spider",
			"aliases": [
				"Wizard Spider",
				"UNC1878",
				"TEMP.MixMaster",
				"Grim Spider",
				"FIN12",
				"GOLD BLACKBURN",
				"ITG23",
				"Periwinkle Tempest",
				"DEV-0193"
			],
			"source_name": "MITRE:Wizard Spider",
			"tools": [
				"TrickBot",
				"AdFind",
				"BITSAdmin",
				"Bazar",
				"LaZagne",
				"Nltest",
				"GrimAgent",
				"Dyre",
				"Ryuk",
				"Conti",
				"Emotet",
				"Rubeus",
				"Mimikatz",
				"Diavol",
				"PsExec",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3",
			"created_at": "2022-10-25T16:07:24.422115Z",
			"updated_at": "2026-04-10T02:00:04.983298Z",
			"deleted_at": null,
			"main_name": "Wizard Spider",
			"aliases": [
				"DEV-0193",
				"G0102",
				"Gold Blackburn",
				"Gold Ulrick",
				"Grim Spider",
				"ITG23",
				"Operation BazaFlix",
				"Periwinkle Tempest",
				"Storm-0230",
				"TEMP.MixMaster",
				"Wizard Spider"
			],
			"source_name": "ETDA:Wizard Spider",
			"tools": [
				"AdFind",
				"Agentemis",
				"Anchor_DNS",
				"BEERBOT",
				"BazarBackdoor",
				"BazarCall",
				"BazarLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"Conti",
				"Diavol",
				"Dyranges",
				"Dyre",
				"Dyreza",
				"Dyzap",
				"Gophe",
				"Invoke-SMBAutoBrute",
				"KEGTAP",
				"LaZagne",
				"LightBot",
				"PowerSploit",
				"PowerTrick",
				"PsExec",
				"Ryuk",
				"SessionGopher",
				"TSPY_TRICKLOAD",
				"Team9Backdoor",
				"The Trick",
				"TheTrick",
				"Totbrick",
				"TrickBot",
				"TrickLoader",
				"TrickMo",
				"Upatre",
				"bazaloader",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434362,
	"ts_updated_at": 1775792171,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1dcfeaee4dbc9a918b47cbbc7045dd9caedb515e.pdf",
		"text": "https://archive.orkl.eu/1dcfeaee4dbc9a918b47cbbc7045dd9caedb515e.txt",
		"img": "https://archive.orkl.eu/1dcfeaee4dbc9a918b47cbbc7045dd9caedb515e.jpg"
	}
}