{ "id": "cfb6caea-a344-462b-a3a5-c195925e3be4", "created_at": "2026-04-06T00:09:15.634851Z", "updated_at": "2026-04-10T03:36:11.34932Z", "deleted_at": null, "sha1_hash": "f2264ae989fd52b0b61dd8c51b89d7387e0a2930", "title": "Ireland's Health Services hit with $20 million ransomware demand", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1393476, "plain_text": "Ireland's Health Services hit with $20 million ransomware demand\r\nBy Lawrence Abrams\r\nPublished: 2021-05-15 · Archived: 2026-04-05 20:44:33 UTC\r\nIreland’s health service, the HSE, says they are refusing to pay a $20 million ransom demand to the Conti ransomware gang\r\nafter the hackers encrypted computers and disrupted health care in the country.\r\nIreland's Health Service Executive (HSE), the country's publicly funded healthcare system, shut down all of their IT systems\r\non Friday after suffering a Conti ransomware attack.\r\n\"We have taken the precaution of shutting down all our IT systems in order to protect them from this attack and to allow us\r\nfully assess the situation with our own security partners,\" the Irish national health service said.\r\nhttps://www.bleepingcomputer.com/news/security/ireland-s-health-services-hit-with-20-million-ransomware-demand/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ireland-s-health-services-hit-with-20-million-ransomware-demand/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThis IT outage has led to widespread disruption in the country's healthcare, causing limited access to diagnostics and\r\nmedical records, transcription errors due to handwritten notes, and slow response times to healthcare visits.\r\nHackers demand a $20 million ransom\r\nYesterday, a cybersecurity researcher shared a screenshot of a chat between Conti and Ireland's HSE with\r\nBleepingComputer.\r\nIn the screenshot, the Conti gang claims to have had access to the HSE network for two weeks. During this time, they claim\r\nto have stolen 700 GB of unencrypted files from the HSE, including patient info and employee info, contracts, financial\r\nstatements, payroll, and more.\r\nConti further stated that they would provide a decryptor and delete the stolen data if a ransom of $19,999,000 is paid to the\r\nthreat actors.\r\nConti ransomware demands of HSE\r\nBleepingComputer was also told that the threat actors shared a sample of stolen documents in the chat. However,\r\nBleepingComputer did not receive these documents and cannot confirm if they contain legitimate data belonging to the\r\nHSE.\r\nIn a press statement yesterday, Taoiseach Micheál Martin, the Prime Minister of Ireland, said that they would not be paying\r\nany ransom.\r\nWho are Conti?\r\nThe Conti ransomware operation is believed to be run by a Russia-based cybercrime group known as Wizard Spider.\r\nThis group uses phishing attacks to install the TrickBot and BazarLoader trojans that provide remote access to the infected\r\nmachines.\r\nUsing this remote access, the threat actors spread laterally through a network while stealing credentials and harvesting\r\nunencrypted data stored on workstations and servers.\r\nOnce the hackers have stolen everything of value and gained access to Windows domain credentials, they wait for a quiet\r\ntime during the week and deploy the ransomware on the network to encrypt all of its devices.\r\nThe Conti gang then uses the stolen data as leverage to force a victim into paying a ransom by threatening to release it on\r\ntheir ransom data leak site if they are not paid.\r\nOther high-profile ransomware attacks conducted by Conti in the past include FreePBX developer Sangoma, IoT chip maker\r\nAdvantech, Broward County Public Schools (BCPS), and the Scottish Environment Protection Agency (SEPA).\r\nhttps://www.bleepingcomputer.com/news/security/ireland-s-health-services-hit-with-20-million-ransomware-demand/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ireland-s-health-services-hit-with-20-million-ransomware-demand/\r\nhttps://www.bleepingcomputer.com/news/security/ireland-s-health-services-hit-with-20-million-ransomware-demand/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/ireland-s-health-services-hit-with-20-million-ransomware-demand/" ], "report_names": [ "ireland-s-health-services-hit-with-20-million-ransomware-demand" ], "threat_actors": [ { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434155, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f2264ae989fd52b0b61dd8c51b89d7387e0a2930.pdf", "text": "https://archive.orkl.eu/f2264ae989fd52b0b61dd8c51b89d7387e0a2930.txt", "img": "https://archive.orkl.eu/f2264ae989fd52b0b61dd8c51b89d7387e0a2930.jpg" } }