Stethoscope on Euro banknotes showing Conti ransomware cost to healthcare system

Irish Healthcare System Requires More Than $100 Million To Recover From the Conti Ransomware Attack

The Irish healthcare system will spend over $100 million to recover from the Conti ransomware attack that devastated the provider in May 2021.

Irish Foreign Minister Simon Coveney described the incident as a “very serious attack.” Similarly, Irish Minister of State Ossian Smyth claimed it was “possibly the most significant cybercrime attack on the Irish State.”

Many radiology appointments were canceled, while delays were experienced in COVID-19 test result reporting and issuance of birth, death, and marriage certificates, according to the RTÉ and the BBC.

Similarly, the attack affected pediatric services, maternity services, and outpatient appointments. Conti demanded a $20 million ransom payment in exchange for the decryptor, but the Health Service Executive (HSE) refused to pay.

Irish healthcare system bleeding money after the 2021 Conti ransomware attack

Ireland has already spent $48 million to recover from the attack. The expenses include $14.2 million for ICT infrastructure, $6.1 million for external cybersecurity support, $17.1 million for vendor support, and $9.4 million for Office 365 subscriptions.

Additionally, the Conti ransomware attack crashed the HSE’s payment system affecting 146,000 people working in the healthcare system. Similarly, the attack shut down 85,000 computers and plunged the healthcare system into threat hunting mode.

According to RTÉ, the healthcare system will require more funds in the coming months to fully resolve the impacts of the attack.

HSE’s interim chief information officer Fran Thompson disclosed the enormous funding request in a letter addressed to Aontú party leader Peadar Tóibín. Thompson projected that the cost could exceed $100 million, excluding PWC’s recommendations.

“The HSE forecasts that the overall cost could be in the region of €100 million and further to this, the implementation of the recommendations of the PWC report into the Conti will require a separate investment case which is being commissioned by the HSE.”

Additionally, Mr. Tóibín suggested that the government consider other costs like health impacts, lives lost, and inconveniences caused when patients’ appointments were canceled.

Ransomware attacks are usually expensive and carry additional costs like reputational damage. It could take several years to recover the technical debt, according to Brett Callow, a threat analyst at Emsisoft.

Callow notes that some of the expenditure is “catch-up spending” to address the security weakness that enabled the attacks.

However, the healthcare system intends to adopt a multiyear implementation plan around the required investment to prevent similar attacks.

Usually, the extortion amount reflects the gravity of the attack and the effort required to restore the system. Consequently, many organizations prefer to pay the ransom that usually amounts to just a fraction of the losses.

However, security experts and government agencies discourage the practice because it does not guarantee decryption and recovery of the stolen files. Additionally, it encourages similar ransomware attacks by the same groups and others.

Conti ransomware targeted many healthcare organizations

The Irish healthcare system was hardly the only medical provider targeted by Conti ransomware in 2021.

In May 2021, the FBI warned about Conti ransomware attacks “targeting US healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities.”

According to CISA’s cybersecurity alert, Conti ransomware attacked more than 1,000 times globally.

Operated by the Wizard Spider group based in St Petersburg, Russia, Conti ransomware is among the most dangerous advanced persistent threat actors. The group employs social engineering tactics like spearphishing to harvest credentials from its victims.

Additionally, it exploits common vulnerabilities and stolen remote desktop protocols (RDP) credentials to infiltrate networks. Conti ransomware’s attack vectors include Trickbot and Cobalt Strike, CISA says.