HSE cyberattack: New Zealand company offers decryption tool in response to attack

The hope is that the software offered free of charge may speed up restoration of the HSE systems

HSE officials hope a tool developed by a New Zealand company, which has been offered to the State for free, will significantly speed up the restoration of systems following last week’s ransomware attack.

On Thursday the gang behind the cyberattack gave the HSE a decryption tool to restore the health service systems which had been rendered useless by the malware known as Conti.

O Friday officials concluded this tool is genuine and that it works, but that the software is “flawed” and “buggy”. Restoring the systems using the tool would likely take weeks, and it may be quicker to manually restore the systems from back-ups rather than using it.

There were also concerns the software supplied by the gang could contain “backdoors” which may allow for further attacks.


Contractors working for the National Cyber Security Centre (NCSC), which is leading the response to the attack, is now assessing a tool offered by the New Zealand cybersecurity company Emsisoft which may be able to restore systems twice as fast.

The tool extracts the decryption key from the software provided by the hackers and puts it into a package custom-made by the company which should be far more efficient and far more stable.

It is hoped the software may work twice as fast as the tool provided by the hackers.

However, officials believe even with this improved software it will still take several weeks to restore and check all systems. The current plan is to decrypt critical systems first before moving on to administrative and other less urgent systems.

The threat of the criminal gang, known as Wizard Spider, leaking sensitive data from the HSE systems unless it receives a ransom remains outstanding. The Government has insisted no ransom will be paid.

The Emsisoft decryption tool has been given to the HSE free of charge as part of an assistance programme the company provides to healthcare agencies who have been the victims of cybercrime during the Covid-19 pandemic.


A spokesman for the Department of Communications, which oversees the NCSC, said the private cybersecurity firm FireEye is co-ordinating the response and that its team has been “carrying out a range of functions to ensure that priority HSE systems are restored as quickly as possible”.

“This includes work related to the use of the decryption tool released yesterday to enable it to be safely deployed on the HSE network. FireEye has been supported in this task by the NCSC.”

Emsisoft threat analyst Brett Callow said he could not comment on any assistance it is providing to the HSE.

Asked why the cybercriminals have handed over the decryption key, he said there were several possible reasons, including that the gang was “not entirely without a degree of humanity”.

He said it was also possible the gang has come under pressure from the government of the country where it is based. Such governments often turn a “blind eye” to attacks on private business but may feel an attack on a country’s health service is a step too far.

A security source said it was thought the gang released the key “as some sort of expression of goodwill” which the criminals hope will increase pressure on the Government to pay the ransom and prevent sensitive data being published.

There is currently “no appetite” among officials to pay any ransom, they said.

According to a report released by the FBI on Thursday, Conti ransomware attacks are on the increase. It said there has been 16 such attacks on US healthcare and emergency service agencies alone in the last year.

Conor Gallagher

Conor Gallagher

Conor Gallagher is Crime and Security Correspondent of The Irish Times