HSE hackers also penetrated gov't network - were kicked off before triggering Conti payload.
Malware "calls many any bogus WinAPIs with invalid arguments to intentionally throw exceptions... uses sandbox evasion techniques"
The hackers who launched a ransomware attack on Ireland's health services (HSE) on Friday May 14 had also penetrated the government's Department of Health Network -- but were detected and kicked off the network before they could trigger a ransomware payload, Ireland's National Cyber Security Centre (NCSC) said Sunday, publishing Indicators of Compromise (IoCs) and naming the Conti ransomware family as responsible.
The attack forced Ireland's national health service to push urgent radiotherapy treatments to the private sector, with X-ray services also crippled and cancellations widespread across all outpatient services. (Emergency Departments are open, ambulance services are operating, as are essential inpatient services, the HSE said.)
Analysis shows the Conti malware begins by calling "many bogus WinAPIs with invalid arguments to intentionally throw exceptions," the NCSC noted. "These are handled by the malware and act as an anti-emulation/sandbox evasion technique." The agency added that "particular attention should be placed on activity related to pre-cursor malware that may have pre-empted ransomware attack (IcedID/BazarLoader/Trickbot etc.)
HSE Ransomware attack: Department of Health targeted
The NCSC said: "On Thursday afternoon (13/05/21), the NCSC was made aware of potential suspicious activity on the Department of Health (DoH) network and immediately launched an investigation in conjunction with the DoH and a 3rd-party security provider to determine the nature and extent of any possible threat.
"Preliminary investigations indicated suspected presence of cobalt strike Beacon,which is a remote access tool. Cobalt strike is often used by malicious actors in order to move laterally within an environment prior to execution of a ransomware payload," the agency added: "At approx 07:00 hrs on 14th May the NCSC was made aware of a significant incident affecting HSE systems. Initial reports indicated a human-operated ‘Conti’ ransomware attack that had severely disabled a number of systems and necessitated the shutdown of the majority of other HSE systems. Early Friday morning (14th May 2021) malicious cyber activity was also detected on the DoH network , however due to a combination of anti-virus software and the deployment of tools during the investigation process an attempt to execute ransomware was detected and stopped."
Analysis of the attack shows internal network subnets were enumerated and results saved to files; multiple batch files (.bat) were used to copy malware to endpoints; psexec.exe was then used to execute the malicious payload on endpoints, using compromised user credentials. The NCSC did not detail the initial threat vector, which could have been anything from a phishing attack, weak credentials on an exposed endpoint, an unpatched VPN etc. etc.
"HSE IT teams are continuing to work on what systems can be brought back online in a safe way. This will take time. Please continue to leave all your systems switched off until further notice," the HSE told staff on Monday, May 17, after the attack on Friday. The NCSC published IOCs and security guidance here.