Government insists ‘no ransom will be paid’ after getting HSE decryption tool

Russian-speaking gang still threatening to publish patient files from Monday

The Government says no ransom will be paid to hackers who stole Health Service Executive data despite their threat to share files online from next Monday.

A statement issued on behalf of the Government on Thursday night said it was “aware” that a decryption tool had been made available by criminals to allow the HSE to unlock its IT systems and encrypted files.

“It is to be emphasised that the Government has not paid a ransom and will not pay a ransom in respect of this crime. This has been the firm position of the Government from the outset and it will continue to maintain that position,” the statement read.

The Government described the tool becoming available as “an encouraging development” but added the “programme of work to repair and restore the IT systems still needs to be carried out”.


The Russian-speaking cyber gang behind the attack was on Thursday night still threatening to publish the HSE information it accessed, including personal information relating to patients, on the darknet (a network within the internet) and to sell some of it to other criminals if the ransom is not paid.

Brian Honan, a cybersecurity consultant based in Ireland and former cybersecurity adviser to Europol, said that even if the decryption tool worked, the HSE would persist with the rebuild of its IT infrastructure under way since late last week when the unprecedented scale of the attack became clear.

“This is to ensure that the systems are clean and not infected, and also that the criminals have not implanted any other malicious software on to those systems,” he said.

Other cybersecurity professionals who spoke to The Irish Times had examined and tested the decryption tool and they believed it was genuine. They said that in offering the tool the gang may be acting out of concern that their attack on the HSE had become so large and was attracting so much attention that they wanted to defuse the situation.

However, the sources said the fact that the decryption key had been shared with the HSE strongly suggested the gang was just about to publish all or most of the Irish data online.

German police

The decryption tool was sent by the gang after German police contacted the gang and explained to it that it was attacking a hospital, not a university. The hospital in question, University Hospital Dusseldorf (UKD), was able to use the decryption key to unlock its files and recover its IT systems.

It appeared the gang shared the tool, which worked when used, once it realised its target was a hospital rather than a university as it appeared to initially think.

The ransomware gang targeting the HSE has been trying to communicate with HSE personnel via a messaging system attached to the $20 million ransom note it posted as part of the attack late last week.

The messages over recent days, which have been seen by The Irish Times, included one on Wednesday that said: “We will start to sell and publish your data on Monday.” That message came three days after the gang had shared a small number of patient and commercially sensitive HSE files on the darknet to increase pressure on the HSE to pay the $20 million bitcoin ransom.

However, on Thursday the gang offered a decryption tool to the HSE, though it maintained its threat to publish the documents and/or sell them to other criminals unless the ransom was paid.

“We are providing the decryption tool for your network for free,” the latest messages sent on Thursday said. “But you should understand that we will sell or publish a lot of private data if you will not connect us [sic] and try to resolve the situation.” The next message offered advice to the HSE about how to use the decryption tool.

Conor Lally

Conor Lally

Conor Lally is Security and Crime Editor of The Irish Times