Ireland Shuts Down Hospital Computer Systems Nationwide After Ransomware Attack

File photo of the CEO of Ireland’s Health Service Executive (HSE) Paul Reid (center) and Chief of Staff of Ireland’s Defense Forces, Vice Admiral Mark Mellett (left) with Irish Army cadets on March 13, 2020.
File photo of the CEO of Ireland’s Health Service Executive (HSE) Paul Reid (center) and Chief of Staff of Ireland’s Defense Forces, Vice Admiral Mark Mellett (left) with Irish Army cadets on March 13, 2020.
Photo: Paul Faith/AFP (Getty Images)

Ireland’s public health care system, known as the Health Service Executive or HSE, shut down all of its computer systems nationwide Friday after hospital administrators became aware of a cyberattack late Thursday.


The attack is being characterized as a ransomware hack, but it’s not yet clear if the hackers succeeded at acquiring enough data to hold hostage. Ransomware hackers will steal data that hasn’t been backed up sufficiently and refuse to return it until a certain amount of money has been paid, like in the Colonial Pipeline hack in the U.S. where nearly $5 million was paid just yesterday.

“There is a significant ransomware attack on the HSE IT systems,” the HSE said in a statement posted to Twitter early Friday. “We have taken the precaution of shutting down all our our IT systems in order to protect them from this attack and to allow us fully assess the situation with our own security partners.”

All medical equipment at Ireland’s hospitals are reportedly still operational, according to the Irish Times, but registration and record-keeping have reverted to pen and paper. The nation’s ambulance service is also operating normally, according to the HSE, and covid-19 vaccinations are still taking place.

Ransomware hackers will also sometimes threaten to release sensitive information publicly, such as medical records, as another angle to make money. It’s not clear whether any patient records have been compromised.

Paul Reid, the CEO of HSE, told Irish radio that the attack was “significant” and they were working with the military as well as third-party experts on cybersecurity, according to the Irish Times.

“There has been no ransom demand at this stage. The key thing is to contain the issue,” said Reid.


Reid also said the perpetrators were an, “internationally operated criminal operation,” though didn’t go into specifics about who might be behind this attack on the Irish health system.

Fergal Malone, an administrator at the Rotunda Maternity Hospital in Dublin, told RTE Radio Ireland that his hospital was shutting down for everything deemed non-urgent and explained that doctors were currently unable to access the electronic records of patients. The radio host asked Malone when he expected the hospital would continue normal operations and he said they were simply taking it a day at a time.


“All appointment have been cancelled for today Friday 14th May. The only exception are for patients who are 36 weeks or over pregnant,” the Rotunda Hospital said in a statement to Ireland’s RSVP Live.

“Otherwise you are asked NOT to attend at the Rotunda unless it is an emergency. The Rotunda will issue updated information as soon as possible.”


Ireland’s HSE did not immediately respond to an inquiry emailed early Friday but Gizmodo will update this post if we hear back.


Times up, time to leave!

Something that should be clarified here (as I’ve seen several stories where people in comments have the wrong idea) that this type of hacking is not in any way related to the common or garden variety ransomware malware what has been experienced in the wider community. Malware is not the cause in these cases, these are targeted hacking efforts.

The difference is important because of how these groups operate. I was involved about a year ago in helping to restore systems after such an attack so I have seen how they work.

The initial infiltration varies, could be social engineering, could simply be brute forcing a portal but the result is the same, the attacker gains high level access to an entity network. At this point they will do a recon and work out what they can get, what structure exists and especially what the backup process is. This is critical as making sure they trash the backups is key to making the ransom work. At this point the hackers may spend days or weeks working on their plan of action, poisoning backups over whatever schedule they need to make recovery impossible. At the same time they can download as much data as they desire, keeping it for the blackmail phase.

Then they strike, once they begin running their encryption scripts they have limited time before the attack is noticed. Taking down SQL DB’s usually causes instant havoc, so to avoid this in their recon they will try to work out business hours so they have less chance of being stopped in the encrypt phase. Regardless of how far they get with encrypting they have your data anyway that they can threaten to expose, it’s the double whammy, bang, bang, you’re dead.

So, anyway, its not like wannacry or that type of worm based ransomware, this is much more personal.