Give me a crash course in... the Wizard Spider cyber attack

The group of cybercriminals hacked the HSE, saying they will leak confidential patient data

Who is Wizard Spider?
Wizard Spider is the name given to the group of cybercriminals believed to be behind last week's ransomware attack on the HSE. The attack promises to disrupt health services for weeks and may lead to sensitive patient data being leaked online.

The group, which is headquartered in Russia, is one of the most sophisticated cybercriminal outfits in operation. It is the most powerful of five closely linked Russian-speaking gangs which make up a kind of cyber-cartel.

What is Conti?
Conti is the tool used by the gang and its affiliates to target businesses and institutions. It is a sophisticated ransomware which first came to light in 2020 and has seen increasing use in recent months.

Previous ransomware tools wormed into systems and locked victims’ data until they agreed to pay a ransom. Conti goes one step further; it locks the data but also creates a copy of it which it can threaten to leak online or sell to the highest bidder. This makes it a particularly nasty threat to an agency like the HSE.


How seriously should we take these Russian cybercriminals?
Going on previous evidence, quite seriously. Although they might be completely lacking in morals, they are skilled in extortion and have no problem publishing sensitive data if they don't get what they want. Dozens of victims around the world have had their data published by the group, although none were the size of the HSE.

There is also evidence to suggest Wizard Spider sometimes works on behalf of Russian authorities, lending their infrastructure and expertise to carry out state-backed attacks on Russia’s enemies.

What is it looking for?
The attack on the HSE is believed to be a purely profit-making endeavour. The criminals have demanded a ransom to both decrypt the files it has locked and to keep them from leaking the data online (or selling it on).

Various ransom figures have been reported in the last week. Most experts seem to agree that a ransom demand for $20 million published on an American technology website is probably genuine, although it is likely the gang would accept a far lower amount.

What will they do with the data?
That largely depends on the Government's response. If a ransom is paid, there is at least a chance the gang will not leak the data. Experts say it is in the interests of cybercriminals to keep their word. Otherwise no one will pay the ransom in the future.

But paying the ransom could make Ireland an irresistible target for future cybercriminals. There is also no guarantee the criminals would not sell on the data. Likewise, we cannot be certain the gang actually has the ability to reverse the damage it has done to the HSE's systems.

If the Government does not pay, it is almost certain that the data will either be dumped onto the dark web or sold onto third parties who may use it for marketing, fraud or even blackmail against HSE patients.

Has any data leaked already?
Evidence is mounting the gang has already started putting patient records out onto the internet. Data which appears to have come from HSE servers has been found online, including the records of a male patient who was receiving end-of-life care.

These were likely leaked to prove the gang actually had access to the records and are prepared to publish them. Minister for Communications Eamon Ryan said they appeared to be "credible and accurate".

Will a ransom be paid?
The gang has demanded a ransom by Monday. For now, the Government is adamant no money will be handed over. Private businesses tend to pay ransoms in these situations, but the Government will not want to be seen as rewarding criminality, especially such a heinous crime like hacking a health service during a pandemic.

On the other hand, the mass dumping of patient records online for anyone to read is something which scarcely bears thinking about.