{ "id": "24e4d6e9-03e8-44c2-a2e8-1ea23b3fc2b0", "created_at": "2026-04-06T00:11:37.260214Z", "updated_at": "2026-04-10T03:36:11.245476Z", "deleted_at": null, "sha1_hash": "5c85764313bc6b759e80c296b864093e0b19df5a", "title": "Irish police seize Conti domains used in HSE ransomware attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 374689, "plain_text": "Irish police seize Conti domains used in HSE ransomware attack\r\nBy Sabina Weston\r\nPublished: 2021-09-06 · Archived: 2026-04-05 19:45:37 UTC\r\nIreland’s Garda National Cyber Crime Bureau has announced that it had “seized several domains” used in the\r\nransomware attack on the Irish Health Service Executive (HSE) earlier this year.\r\nThe attack, which took place in mid-May, forced the national health and social services provider to shut down its\r\nentire IT system, which lead to appointments being delayed or cancelled. The Irish Department of Health was also\r\ntargeted but managed to prevent Conti from encrypting its network.\r\nOn Sunday, almost four months after the attack, the Garda’s cyber crime unit confirmed that it had disrupted the\r\nIT infrastructure of the Conti hacking group, which had claimed responsibility for the attack. Thought to be\r\ndeployed by a Russian group known as Wizard Spider, Conti functions as a type of ransomware as a service\r\n(RaaS) operation.\r\n“The Garda National Cyber Crime Bureau have seized several domains used in this and other ransomware\r\nattacks,” a Garda spokesperson told IT Pro, adding that the seizure “has directly prevented a large number of\r\nfurther ransomware attacks across the world”.\r\nLatest Videos From IT Pro\r\nThe Bureau has also notified potential victims of the ransomware gang and is working with Europol and Interpol\r\nto ensure that other states are aware of the systems targeted by Conti.\r\nRELATED RESOURCE\r\nThe ultimate law enforcement agency guide to going mobile\r\nhttps://www.itpro.co.uk/security/ransomware/360786/irish-police-seize-conti-domains-used-in-hse-ransomware-attack\r\nPage 1 of 2\n\nBest practices for implementing a mobile device program\r\nFREE DOWNLOAD\r\nA Garda spokesperson described the operation as “crime prevention”, adding that to date there had been “a total of\r\n753 attempts (...) made by ICT systems across the world to connect to the seized domains”.\r\n“In each instance, the seizure of these domains by the GNCCB investigation team is likely to have prevented a\r\nConti Ransomware Attack on the connecting ICT system, by rendering the initially deployed malware on the\r\nvictims system, as ineffective,” they said.\r\nSign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI,\r\ncybersecurity and other IT challenges as per 700+ senior executives\r\nHSE wasn’t the only healthcare provider targeted by the Conti ransomware group. Days after the attack was\r\nreported, the US Federal Bureau of Investigations (FBI) found that the gang had also attempted to breach 16 US\r\nservices, including law enforcement agencies, 911 dispatch services and municipalities, with the attempted attacks\r\nall taking place since May 2020.\r\nThe FBI Cyber Division stated that the targeted healthcare and first responder networks were “among the more\r\nthan 400 organisations worldwide victimised by Conti”, out of which “over 290” are based in the US.\r\nSource: https://www.itpro.co.uk/security/ransomware/360786/irish-police-seize-conti-domains-used-in-hse-ransomware-attack\r\nhttps://www.itpro.co.uk/security/ransomware/360786/irish-police-seize-conti-domains-used-in-hse-ransomware-attack\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.itpro.co.uk/security/ransomware/360786/irish-police-seize-conti-domains-used-in-hse-ransomware-attack" ], "report_names": [ "irish-police-seize-conti-domains-used-in-hse-ransomware-attack" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434297, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5c85764313bc6b759e80c296b864093e0b19df5a.pdf", "text": "https://archive.orkl.eu/5c85764313bc6b759e80c296b864093e0b19df5a.txt", "img": "https://archive.orkl.eu/5c85764313bc6b759e80c296b864093e0b19df5a.jpg" } }