Why has data stolen in the HSE cyberattack not yet appeared online?

Experts say they are surprised the criminals have not followed through on their threats

Forty-eight days on from the devastating ransomware attack on Ireland’s health system, the criminals behind it are yet to make good on their promise to dump masses of sensitive patient data online.

Health officials and gardaí officials are confused, as is the wider cybersecurity community, where speculation is rife as to why the worst-case scenario has yet to be realised.

Meanwhile, the investigation is progressing, although it seems unlikely the culprits will face justice. This week the High Court ordered a Google-owned company to disclose the identities of people who uploaded a sample of the stolen data to its website in May.

Kurtis Minder, a US-based cybersecurity expert who specialises in negotiating ransom demands with cybercriminals on behalf of their victims is surprised the data has not been dumped online, given the reputation of the gang thought to be behind the attack, known as Wizard Spider.

“Specifically with groups like Conti/Wizard Spider, they do typically make good on their threats. So yes, it’s surprising to us.”

Like other experts who spoke to The Irish Times, Minder offers a variety of reasons as to why the data has not appeared.

One possibility is “back-channel activity between governments and law enforcement that we don’t know about or hear about. That might be impacting their behaviour”.

It is a possibility echoed by Pat Larkin, founder of Ward Solutions and a former IT specialist in the Defence Forces.

Larkin points to the unexpected decision by the gang, six days after the attack became public, to hand over a decryption key to the HSE which helped them repair the shattered computer systems.

He said it is "entirely possible" this was the result of "Irish soft power and diplomatic pressure". In other words, officials may have appealed to their counterparts in eastern Europe, where the criminals are thought to be based, to lean on the gang.

Financial gain?

Larkin said it is reasonable to suggest that this pressure may also be responsible for keeping the data offline, at least for the moment.

“These guys are a business and they will be making business decisions. Some of those decisions might be based on self-preservation,” he said.

“It’s possible their arm is being twisted to a certain extent and no data will ever be released.”

On the other hand, Brett Callow, a threat analyst at cybersecurity firm Emsisoft suspects the gang have little to gain from releasing the data.

“[The HSE] has made clear it will not pay the demand, and releasing the data could result in additional attention from law enforcement,” he said.

"For me the main reason is they see no financial gain in releasing this information publicly," said Brian Honan, an independent security consultant who has also served as a special adviser to Europol's Cybercrime Centre (EC3).

“They are more likely to be selling that data to other criminal gangs in order to make money from that data. If they were to post the data publicly it is possible they could undermine the value of the information when selling it to other criminals.”

Change of heart?

Most experts dismissed the idea the Government has quietly paid the ransom demanded by the criminals.

“I very much doubt that is the case. It would be very difficult to keep something like that secret and the Government would be leaving itself open to further blackmail,” said Honan.

Is it possible the criminals have developed a conscience, or at least realised that targeting a health system during a pandemic is a not a good look? Some major cybercriminal gangs like to portray themselves as Robin Hood types who only target faceless corporations.

Two of the biggest cybercriminal gangs, REvil and DarkSide recently promised not to target sectors such as health and education in future.

It is “possible” the Conti gang had a similar change of heart, says Minder, but the evidence is lacking. Targeting healthcare systems has been the gang’s core business model almost from the start, he points out.

READ MORE