To their great credit, the Irish Health Service Executive (HSE) has published the full post-incident report into last year’s Conti ransomware attack. Prepared for them by PwC, the report is a fascinating read and allows us all to learn from the HSE’s unfortunate experience.
The initial infection took place on 18th March 2021, when a staff member opened an email attachment infected with malware. Although there were various reports of suspicious activity on the network in subsequent weeks, the attack was not detected until the ransomware was finally detonated on 14th May. Initially all IT systems were shut down but, following release of a decryption key on 21st May, recovery of systems began on the 24th. Roughly half of servers had been decrypted within three weeks, with the remainder decrypted over the next three months.
The report stresses that the attack was relatively crude and that the impact could have been much greater . In particular, it is unclear how time-consuming a recovery from backup would have been if the attackers had not provided the decryption tool.
Clearly there are lessons that we can all learn from this incident. First and foremost, it highlights the need for ongoing staff awareness training about cyber security in order to reduce the likelihood of malware getting onto the network. It also highlights the need for effective monitoring: there was a two-month window to detect the attack before the ransomware was detonated.
As well as recommending a root and branch reform of IT governance and information security management; the report also identifies the need for an enhanced crisis management capability within HSE to enable it to deal with non-traditional incidents such as this. Follow the link to learn more about how Cambridge Risk Solutions can help develop your crisis management capability.