Wizard Spider, the group of cybercriminals believed to be behind the Conti ransomware attack on the HSE, likes to refer to its victims as "clients".
An ominous message at the top of the gang’s data dump website is directed at “clients” who refused to pay the ransom to keep their data secret: “If your data isn’t here it does not mean we forgot about you. It means we sold it.”
The use of corporate language is an indication of how Wizard Spider likes to portray itself; not as a group of ruthless criminals who would cripple a health service during a pandemic, but as cybersecurity experts providing a service.
"They style themselves as this penetration testing company who perform unsolicited security audits," said Maciej Makowski, a former detective with the Cybercrime Bureau and the Security and Intelligence section of the Garda.
Wizard Spider members operate out of various premises in eastern Europe and work nine-to-five in nondescript office blocks. The gang's headquarters is in Russia, near St Petersburg, where it is given free-reign to operate by the authorities, as long as it does not attack Russian interests or allies.
The Conti ransomware found on the HSE servers is even programmed not to launch an attack if it detects Russian as the default language on the victim’s system.
Once their computers are infected, victims are walked through how pay the ransom using cryptocurrency. A decryption key is then handed over to allow them regain access to their files.
The hackers also tell their victims how they gained access to the system and how to avoid similar attacks in future. Once the transaction is complete, there is an understanding they will not be targeted by the gang again. Typically, the gang keeps its side of the bargain and the data stays private.
“It’s ironic. They are criminals but at the same time they do give you something when you pay,” says Makowski, who left the Garda in 2019 to move into the private cybersecurity sector. “It’s a bit tongue in cheek. They want to get across ‘hey we’re not just criminals, we’re actually a professional service’.”
This leaves the Government and the HSE in a quandary. Paying a ransom demand could prevent masses of sensitive patient data being leaked onto the web and may also prevent further Conti attacks.
But handing over money would also reward criminal behaviour and only encourage further attacks on other institutions. And while the HSE may be safe from Conti, it could become a target for the many other sophisticated ransomware gangs out there.
“What’s the lesser evil here? It’s a very hard decision to make,” said Makowski.
A ransom note published on a US website at the weekend demanding $20 million (€16 million) not to leak the HSE data appears to be genuine.
This is likely a starting point for negotiations, says James Moles, a senior engineer with the cybersecurity company Extrahop. He said the HSE might be able to argue this down to as low as $5 million.
Even at the higher figure, it might make more sense, from a financial point of view at least, to pay the ransom. Potential legal costs as a result of a mass data leak could be multiples of the $20 million sought, said Makowski.
For now, the Government has insisted no ransom will be paid. But, according to Moles, this may not be the end of the matter.
“It’s like the ‘we will not negotiate with terrorists’ stance that the Americans have. We know they negotiate with them all the time. They’re in constant contact. Back deals are made or deals are made through a third-party mediator,” he says. The HSE will have to pay the ransom “or take the hit”.
If Wizard Spider has the data, it is almost certain to leak it if a ransom is not paid. “They treat their business model seriously,” says Makowski.
On the other hand, by attacking a large state institution such as the HSE, the gang may have bitten off more than it can chew. Private companies are more likely to pay ransoms because such mass data leaks can threaten their existence. But while the publication of data will severely damage the HSE and cost many millions, it is unlikely to be fatal to the organisation.
“The whole thing is a disaster,” said Makowski. “But the HSE is not going to be destroyed by this.”
If there is a silver lining, it is that it will presumably light a fire under the Government to update the State’s archaic IT systems and cybersecurity services.
Thousands of computers on the HSE network still use Windows 7, which Microsoft stopped supporting with security updates more than a year ago (last year the health service had to pay more than €1 million for extra protection). According to Makowski, some of the HSE's computers run an even older – and more vulnerable – version of Windows.