{
	"id": "e76fd32b-c367-44cd-a32a-68db001bbdf9",
	"created_at": "2026-04-06T00:18:21.557513Z",
	"updated_at": "2026-04-10T03:21:09.43248Z",
	"deleted_at": null,
	"sha1_hash": "9fcd44ece7944fd40780b252c05539a53fcd89c6",
	"title": "HHS: Conti ransomware encrypted 80% of Ireland's HSE IT systems",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3185841,
	"plain_text": "HHS: Conti ransomware encrypted 80% of Ireland's HSE IT systems\r\nBy Sergiu Gatlan\r\nPublished: 2022-02-04 · Archived: 2026-04-05 19:08:45 UTC\r\nA threat brief published by the US Department of Health and Human Services (HHS) on Thursday paints a grim picture of\r\nhow Ireland's health service, the HSE, was overwhelmed and had 80% of its systems encrypted during last year's Conti\r\nransomware attack.\r\nThis led to severe disruptions of healthcare services throughout Ireland and exposed the information of thousands of Irish\r\npeople who received COVID-19 vaccines before the attack after roughly 700 GB of data (including protected health\r\ninformation) was stolen from HSE's network and sent to attackers' servers.\r\nThe short incident report [PDF], based on a PwC independent post-incident review [PDF] commissioned by the Board of the\r\nHSE in June 2021, reveals that the impact of this attack on HSE's IT environment was primarily caused by the organization's\r\nlack of preparedness to deal with such an incident.\r\nhttps://www.bleepingcomputer.com/news/security/hhs-conti-ransomware-encrypted-80-percent-of-irelands-hse-it-systems/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/hhs-conti-ransomware-encrypted-80-percent-of-irelands-hse-it-systems/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"The HSE did not have a single responsible owner for cybersecurity, at senior executive or management level at the time of\r\nthe incident. There was no dedicated committee that provided direction and oversight of cybersecurity and the activities\r\nrequired to reduce the HSE's cyber risk exposure,\" the HHS Cybersecurity Program said.\r\n\"The lack of a cybersecurity forum in the HSE hindered the discussion and documentation of granular cyber risks, as well as\r\nthe abilities to identify and deliver mitigating controls. The HSE did not have a centralized cybersecurity function that\r\nmanaged cybersecurity risk and controls.\"\r\nTo top it all off, the HSE also had no security monitoring solutions deployed to help investigate and respond to security\r\nthreats detected across its IT environment.\r\nThis led to a lack of response to Conti operators' malicious activity, which was far from stealthy, seeing that Cobalt Strike\r\nbeacons deployed on multiple HSE servers starting with May 7, 2021, were detected by endpoint antivirus solutions, with\r\nthe alerts being ignored.\r\n\"The impact of the ransomware on the IT environment was reported by the HSE's management to lead to 80% encryption,\"\r\nthe HHS added.\r\n\"The impact of the ransomware attack on communications was severe, as the HSE almost exclusively used on-premise email\r\nsystems (including Exchange) that were encrypted, and therefore unavailable, during the attack.\"\r\nHSE Conti ransomware incident timeline (PwC/HSE)\r\nLuckily, the Conti ransomware gang gave the HSE a free decryptor to restore systems, with the added warning that the\r\nattackers would still sell or publish the stolen data if the HSE did not pay a $20 million ransom.\r\n\"We are providing the decryption tool for your network for free. But you should understand that we will sell or publish a lot\r\nof private data if you will not connect us and try to resolve the situation,\" the Conti ransomware gang said on the negotiation\r\nchat page.\r\n\"The HSE is aware that an encryption key have been provided,\" the Irish Department of Health told BleepingComputer at\r\nthe time. \"However further investigations have to be conducted to assess if it will work safely, prior to attempting to use it\r\non HSE systems.\"\r\nAlthough the incident led to widespread disruption across Ireland's healthcare services, Taoiseach Micheál Martin, the Prime\r\nMinister of Ireland, said that the HSE would not be paying any ransom.\r\nFollowing the attack, an archive containing samples of stolen HSE files containing patient data was subsequently uploaded\r\nto the VirusTotal malware scanning site.\r\nAn Irish court later ordered VirusTotal to provide any info on subscribers who downloaded or uploaded the confidential data\r\n(including email addresses, phone numbers, IP addresses, or physical addresses) stolen from Ireland's national health care\r\nnetwork.\r\nThe archive of stolen HSE data was downloaded 23 times by VirusTotal subscribers before the service removed it on May\r\n25, 2021, according to The Journal.\r\nhttps://www.bleepingcomputer.com/news/security/hhs-conti-ransomware-encrypted-80-percent-of-irelands-hse-it-systems/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/hhs-conti-ransomware-encrypted-80-percent-of-irelands-hse-it-systems/\r\nhttps://www.bleepingcomputer.com/news/security/hhs-conti-ransomware-encrypted-80-percent-of-irelands-hse-it-systems/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/hhs-conti-ransomware-encrypted-80-percent-of-irelands-hse-it-systems/"
	],
	"report_names": [
		"hhs-conti-ransomware-encrypted-80-percent-of-irelands-hse-it-systems"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434701,
	"ts_updated_at": 1775791269,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9fcd44ece7944fd40780b252c05539a53fcd89c6.pdf",
		"text": "https://archive.orkl.eu/9fcd44ece7944fd40780b252c05539a53fcd89c6.txt",
		"img": "https://archive.orkl.eu/9fcd44ece7944fd40780b252c05539a53fcd89c6.jpg"
	}
}