In March 2021, a Conti ransomware attack hit Ireland's Health Services Executive when a user clicked and opened a weaponized Microsoft Excel file from a phishing email. The estimated recovery cost is around $600M USD.
While constant ransomware headlines may cause sensory overload, what makes this attack different is a detailed and public post mortem analysis. Typically, we analyze ransomware attacks one-step removed, from an outside perspective. The Irish government in this case commissioned a detailed analysis from PWC. The analysis would guide the HSE and other Irish government agencies to bolster cyber defenses. As the report states, they hope to “identify the learnings from this Incident both for the HSE and for State and non-State organisations to inform their future preparedness.”
However, for those of us in cybersecurity, the report provides a rare glimpse into a cyber attack and the defensive posture that enabled a success. Like “game film” that athletes watch to improve performance, PWC supplied us with “cyber film”. What are the key lessons for any organization hoping to prevent ransomware?
Lesson 1: Start with proper IT and security hygiene
The report states, “The HSE is operating on a frail IT estate that has lacked the investment over many years required to maintain a secure, resilient, modern IT infrastructure. It does not possess the required cybersecurity capabilities to protect the operation of the health services and the data they process, from the cyber attacks that all organisations face today. It does not have sufficient subject matter expertise, resources or appropriate security tooling to detect, prevent or respond to a cyber attack of this scale.”
The HSE is the largest employer in the Irish state with more than 130,000 staff across hundreds of healthcare centers. Although the report condemns the HSE as exceptionally behind the times, it's a strong reminder that attackers prey on those who lack a basic ability to defend themselves. But there’s another aspect to hygiene the report points out–leadership. The report states, “The HSE does not have a single responsible owner for cybersecurity at either senior executive or management level to provide leadership and direction.” Without a CISO, there was no voice or even orchestration of security activities.
Lesson 2: Lateral movement was easy and key to the scale of the damage
“This included compromising and abusing a significant number of accounts with high levels of privileges, compromising a significant number of servers, exfiltrating data and moving laterally to statutory and voluntary hospitals.”
The attacker persisted for nearly eight weeks in the environment, highlighting how attackers focus on finding the weakest link in security and gaining an initial foothold in an enterprise network. Once on the network, they move laterally. Security is no longer just keeping threat actors out–it also requires the ability to detect how an attacker traverses the network to find and exfiltrate critical data.
While the problem of lateral movement has been talked about for years, and now combined with Ransomware it can truly wreak havoc in organizations. HSE, like many organizations, is not technically sophisticated and the challenge of quickly deploying a whole new set of controls to deal with lateral movement isn’t realistic. This is where MFA everywhere plays a pivotal role. The report noted how privileged access was exploited. Simply applying MFA-based restrictions against privileged protocols can stop lateral movement–regardless of technical sophistication.