HSE data key comes from gang behind attack, authorities believe

Caution required over use of key to ensure it contains no further malicious software

HSE chief executive Paul Reid said if the ransom demand was met, the State would be making the gang stronger for future attacks. Photograph: iStock

HSE chief executive Paul Reid said if the ransom demand was met, the State would be making the gang stronger for future attacks. Photograph: iStock

Your Web Browser may be out of date. If you are using Internet Explorer 9, 10 or 11 our Audio player will not work properly.
For a better experience use Google Chrome, Firefox or Microsoft Edge.


An Garda Síochána and the health authorities believe a decryption tool offered to the HSE to unlock its IT systems came from the same cyber gang that carried out the ransomware attack on it.

While the decryption tool must undergo a series of tests before any effort is made to use it, several sources said the tool appeared to work and, specifically, was compatible with the encryption the HSE fell victim to.

A statement issued on behalf of the Government on Thursday night said it was “aware” a decryption tool had been offered and said no ransom had been paid. A “detailed technical process to ensure the integrity of this decryption tool” was being carried out by the National Cyber Security Centre and contractors to ensure it would help in the rescue of the systems and data “rather than cause further harm”.

The Government described the tool becoming available as “an encouraging development” but added the “programme of work to repair and restore the IT systems still needs to be carried out”. Gardaí are continuing to investigate those involved in the attack.

In a statement the Government stressed it had not paid a ransom “and will not pay a ransom in respect of this crime”.

Minster for Health Stephen Donnelly said he could confirm “the decryption key to unlock the data has now been made available. We will continue to work with all parties to further the national response and fully reinstate our health services.”

HSE chief executive Paul Reid said if the $20 million ransom demand by that gang was met, the State would effectively be making the gang stronger for future attacks.

Threats continue

The Russian-speaking cyber gang behind the attack is still threatening to publish the HSE information it accessed, including personal information relating to patients, on the dark net and to sell some of it to other criminals if the ransom is not paid.

Brian Honan, a cybersecurity consultant based in Ireland and former cyber security adviser to Europol, said even if the decryption tool worked, the HSE would persist with rebuilding its IT infrastructure, a process under way since late last week when the unprecedented scale of the attack became clear.

“This is to ensure that the systems are clean and not infected, and also that the criminals have not implanted any other malicious software on to those systems,” he said.

The HSE on Thursday secured injunctions from the High Court restraining any sharing, processing, selling or publishing of data stolen from its computer systems.

HSE chief executive Paul Reid told the court in an affidavit he feared all of the HSE’s data was “potentially compromised”.

This includes data relating to clinical matters, diagnostics, oncology, patient administration, human resources and payroll, the court was told.

Mr Justice Kevin Cross said on Thursday he was satisfied to make the orders sought over hacking undertaken for a “particularly heinous form of blackmail”.

The main purpose of the orders, the court heard, was to put legitimate information service providers such as Google and Twitter on notice of a legal prohibition on the sharing and publication of the HSE information.