Irish officials analyze decryption tool as long recovery process from ransomware continues

FireEye is involved in the incident response, a spokesperson said.
(Photo by Noam Galai/Getty Images)

The Irish government expects to dedicate significant resources in the coming days to recovery efforts related to a ransomware incident that has hampered the country’s public health service for the last week, officials said Friday.

Irish officials have obtained a decryption key that could unlock the data on the networks of the Health Service Executive (HSE), Ireland’s $25 billion public health system, though the key will need to be tested to ensure it does more good than harm. Meanwhile, medical appointments have dropped by as much as 80% in parts of the country following the breach, health officials have said.

It’s an example of the pressure that governments face, often under the international spotlight, to promptly restore connectivity to critical systems held hostage by cash-rich cybercriminals.

Emergency care has continued throughout the ordeal, but there have been delays in non-urgent services in parts of Ireland as IT systems supporting maternity care, radiation oncology and other services were knocked offline.


“A detailed technical process to ensure the integrity of this decryption tool is being carried out by the [National Cyber Security Centre] and private contractors,” the Irish government said in a statement Thursday evening. “This is to ensure that this tool would support restoration of our systems and rather than cause further harm.”

Irish Prime Minister Micheál Martin has publicly said his government will not pay a reported $20 million ransom for its data back. It is unclear how exactly the government obtained the decryption tool or why the hackers reportedly offered it for free. Irish officials have blamed hackers linked to a popular strain of ransomware called Conti for the breach.

The FBI has tracked at least 16 Conti ransomware attacks that affected U.S. health care and first-responder networks within the last year.

The Irish government statement did not name the private contractor, but a spokesperson for the Irish Department of Environment, Climate and Communications told CyberScoop that officials had brought in U.S. security firm FireEye for help. The HSE has said that antivirus firm McAfee, which has a deep bench of ransomware specialists, is also helping with the recovery.

“There remains a substantial task ahead for the HSE, supported by FireEye, the NCSC and others, to restore services throughout the country,” the department spokesperson said.


Obtaining the decryption key is positive news, Irish Prime Minister Micheál Martin told reporters Friday, but “it doesn’t really take away from the enormous work that still lies ahead in terms of the rebuilding of the systems overall.”

Martin said some health IT systems are gradually coming back online, but he appealed to the public to “bear with us and to bear with the Health Service in particular, as they deal with this unprecedented attack.”

Irish officials have also taken to the courts in their bid to contain the fallout from the ransomware attack. An Irish judge on Thursday issued an injunction prohibiting people from sharing leaked data from the hack on social media.

“We are aware of the court order and will act swiftly to remove content that is illegal, once we are aware of it,” a Facebook spokesperson said Friday.

The IT systems of a network of hospitals that serves 425,000 people in New Zealand were also knocked offline in a suspected ransomware attack.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts