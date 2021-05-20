The ransomware group targeting the HSE has given the Irish authorities a decryption tool that it says will enable them to recover their IT systems and the files that hackers locked and encrypted.

However, the Russian-speaking cyber gang behind the attack is still threatening to share the information, including personal information relating to patients, on the darknet and to sell some of it to other criminals if the ransom is not paid.

The HSE and Department of Health was expected to greet the offer with extreme caution for fear the gang is trying to entice them into an even more difficult situation.

However, cyber security professionals who spoke to The Irish Times on Thursday said the decryption tool offered by the ransom gang to the HSE appears to be genuine. They believed it was a very positive development for the Irish authorities because the HSE would be able to restore its IT infrastructure much faster than expected and would also be able to access the data and files the gang had encrypted.

The same cyber security sources believed the gang may be acting out of concern that their attack on the HSE had become so large scale and was attracting so much attention they wanted to diffuse the situation.

However, the sources said the fact the decryption key had been shared with the HSE strongly suggested the gang was just about to share all or most of the Irish data online.

The development in the case is not unprecedented as a cyber gang that attacked part of the German health system last year offered a decryption key to the authorities to unlock the damage they had done when they realised their target was a hospital.

The decryption took was sent by the gang after German police contacted the gang and explained to them they were attacking a hospital, not a university. The hospital in question, University Hospital Düsseldorf (UKD), was able to use the decryption key to unlock its files and recover its IT systems.

The ransomware gang targeting the HSE has been trying to communicate with HSE personnel via a messaging system attached to the $20 million ransom note it posted as part of the attack late last week.

The latest messages, which have been seen by The Irish Times, over the last 48 hours included one on Wednesday, when the gang said: “We will start to sell and publish your data on Monday.”

That development was expected and Garda sources it was typical of the tactics used by ransomware gangs around the world. As they are trying to increase pressure on their victim they share some samples of stolen documents online with a warning that a much larger share will happen very soon if the ransom is not paid, sources said.

Those tactics are then usually followed by a specific date being set for the larger leaks of the stolen data and files on the darknet and the gang targeting the HSE had gone that far with its tactics up to Wednesday.

However, on Thursday the gang offered a decryption tool to the HSE, saying it could be used to unlock the IT systems and files and other data their attack had locked. But that gang maintained its threat to publish the documents and/or sell them to other criminals.

“We are providing the decryption took for your network for free,” the latest messages sent on Thursday said. “But you should understand that we will sell or publish a lot of private data if you will not connect us (sic) and try to resolve the situation.”

The next message then offers advice to the HSE about how to use the decryption tool: “The decryption tool upload to the cloud. You should launch it with administrator rights and wait until it finishes decryption process. Do not stop the process otherwise you could damage data.”

The gang’s next message to the HSE then offers links and a password required to use the decryption tool. Security sources said they had trialed the decryption tool and it appeared to work on the small number of encrypted HSE documents already shared on the darknet by the gang.