Patrick Curtin - The Ireland HSE Ransomware Attack: A Cautionary Tale for All Organizations

Awesome. Well, thank you, Robert. And it is awesome to be back in person. Um, so we're running a bit late, so we'll get the show on the go. Our first speaker is Patrick Curtain, who is talking about ransomware. Correct. Yes. Talking about ransomware. There's your hooked up here first.

Nice.

Right. Good morning everyone. Can you hear me? Good. All right. Excellent.

Okay, so ransomware is a very hot topic, of course, probably the hottest topic in cyber security now. Um, when you think about cyber security, there's a lot of different ways of looking at the problem. My personal favorite way of doing it is what we're going to do here, which is looking at an actual incident and walking it through and seeing what happened and what could have been done better, what worked well. In this case, not very much. The problem with this this way of looking at cyber security is you almost never know enough to do what we're going to do here. And there's a reason why this one is an exception. So, if you're doing incident response at

your own organization, sure, you're going to know. Hopefully, you'll be able to figure out what happened. Um, but when you read about them in the press, there's little snippets. there's almost never enough for you to build a picture. This ransomware example from Ireland is a bit different and it's an excellent way of illustrating how important executing fundamentals are in the field of cyber security because this is a worst case scenario. This is one employee making a couple of mouse clicks bringing down a whole organization and not just any organization a critical infrastructure provider. So what we're going to do is we're going to start by looking at the targeted organization figure look at at uh how they were set up. We'll look at

the threat actor and then we'll look at the timeline the steps that that occurred in the uh in the compromise and the recovery. We'll talk about the impact and then we'll look at the post incident analysis and finally we'll talk a little bit about prevention. So the uh the graphic on the right is the cover page of a of the post incident report which was made public. This is super rare. Okay, it's a big report, 150 pages written by Price Waterhouse Coopers. Um, it is redacted, so there's about 10 pages of technical details that are completely blacked out, but other than that, it's all available out there for everyone. Uh, it's an excellent read. Um, and this, again, I can't emphasize

this enough, it almost never happens. It only happened here because the targeted organization, some enlightened soul decided this story needed to be shared. Um, because there's a lot to learn here. So, a shout out to the HSSE for for publishing this. So, who is the HSSE? It's the Health Services Executive in Ireland. It is basically the health care system of Ireland. So, Ireland, 5 million people. This makes the HSSE the largest employer in Ireland at about 130,000 employees. It is a designated critical infrastructure provider. Huge budget of course healthcare for an entire country 22 billion euro. Um the IT budget about 200 million euro. Okay, that sounds like a lot of money but if you look at the

budget it's less than 1%. 1% is a bit challenging and we'll get into a bit about you know the different tensions going on with budget in a healthcare organization but in the US the benchmarks I've seen is it's about 3 or 4%. Banks would spell spend more eight or nine or 10%. But 1% is is your first sign that maybe not as all is well here and they're supporting a lot. They got 70,000 devices spread over a wide enterprise, you know, over a thou uh sorry, over 4,000 locations. You know, this would be not just big hospitals, but little clinics and that kind of thing. Lots of applications supported by 350 staff. That's not a lot out of an

employee base of 130,000. Okay, so let's look at the network. Now, I'm going to generalize a bit. There's a few exceptions to what I'm going to say, but in in essence, this was a flat network and it was done that to make it easy for staff to access the applications we need. So, we're right away illustrating the tension between convenience and security. So, there weren't enclaves generally set up in this network. Few exceptions and those exceptions and what's going to happen here made the difference for those places that did that were not uh uh completely open. So, a third of their servers, several thousand servers out of support, 30,000 Windows 7 desktops. These Windows 7's desktops

hadn't been moved forward to Windows 10 because they had a problem running their medical imagery applications. There was a way around this. Some of the hospitals on their own figured out how to do this, but by and large, the enterprise hadn't moved off for that reason. So whole bunch of workstations, whole bunch of servers not being patched. There was no CISO, no chief information security officer. They did have a CIO, but no CISO. Unusual for an organization of that size. No SOCK, no security operations center, no hub to to act as the quarterback for security operations. 15 cyber security staff. So when you think about 350 IT staff, 15 cyber security staff, that is really really

small. When this incident happened, they were in the process of doubling their IT. They were they they had received authorization to go from 350 to 650 staff. They're just starting to do that. So at least there was some recognition they didn't have enough people. The cyber security staff, I didn't write it here, but in the post in incident report, they are described as not having the necessary expertise or experience to do their work, which is a pretty damning statement. But when we get to some of the observations, I think there's other things we need to consider beyond just these poor 15 cyber security staff that would have been run off their feet. Okay, think back to spring 2021. And

that's this incident happened not too long ago, right? Only a bit more than a year ago. Spring of 2021. Spring of 2021, Western Health organizations are rolling out COVID vaccines, right? And there's applications involved. There's it to support that. So those some of those cyber security people were peeled off to help support this high priority effort. So, not only do they have enough or not enough, but they're also working on other things. And cyber security was a recognized high and likely risk. This was presented to the HSSE board in the fall of 2020. So, people were aware there were problems here. It was actually presented at the board level, the highest level. Now, that presentation is not public, but uh

it sounds as though it was just kind of an observational thing and it didn't talk about impacts. Didn't say, "Hey, if we don't do something about this, we might grind to a halt." And I suspect if it had, they would have been told, "No, no, no, no. You're exaggerating." So, we'll see what's going to happen. So, this is how I feel as a cyber security professional when I look at this. This is a train wreck. You know, it's surprising something didn't happen sooner, but this is an accident waiting to happen. And, you know, it's it's it's appalling. It's it's terrifying when you think that it's a it's a healthcare setting, a setting where, you know, literally life and

death. All right, let's shift gear to to the shift gears to the threat actor. Uh, in this particular case, it's a group known as Conti. You'll hear them referred to as a cyber crime gang. It's also uh their their ransomware is known as Conti ransomware and it's a bit confusing because these guys are currently rebranding. They're in the news a lot. Um so they they really hit the news big with this. Um and they've subsequently I I'll talk about it a bit. They've been involved in other high-profile things, but they've actually decided to to rebrand. And it's not clear exactly what's going on, but it looks like they're based in St. Petersburg about 200 people and they

have a very wide playbook. Okay, they have some very sophisticated techniques but their hallmark is what we call living off the land which is where you once you get on the network you're going to harness admin tools that are already found there. So you're not having to move malware in that could get detected. You're just going to use stuff that's sitting there in the admin's uh um toolbox. So the FBI uh as of about six months ago, they had estimated that these that this group had over 700 major ransomware victims. And in 2021, they extorted somewhere between 150 and 180 million. So that's a lot of money when you think only about 200 people are behind it. That's a if that

was a company, they'd be doing pretty well. and they've been described as an unparalleled big game killing machine. They've, you know, 700 major victims in a few years. They are, they're very good at what they do. And at the bottom there, they're good enough that the FBI issued a um a ransomware advisory about them. So, that is also available for everyone to see. This is from about a year ago, September 2021. Now, that said, they've been breached themselves. Excuse me. I'm going to have to get some water. My uh mouth's already getting a little

dry. Sorry. Right. So, in the fall about a year ago, they were uh actually I say fall 2020. Sorry, that's uh fall 2021 and March 2022. So, in the fall, they were breached by a disgruntled former employee, if you could call them that. And this employee, classic insider threat, brought all kinds of their intellectual property out, brought out their playbooks, published it all on tour. So, of course, cyber security researchers had field day with that. Um, and then, strangely enough, they're based in Russia. When Russia invaded Ukraine, they came out and said, "We're in complete support of the Russian government. We're completely against Ukraine and United States. We're going to act in support of the Russian

government." No surprise. There's always been thought that that, you know, Russian-based cyber crime actors are loosely connected with the government. Well, when they did that, they then got targeted and a whole bunch of other things got leaked, including chat logs. So again, cyber security researchers were able to digest this stuff, analyze it, and build a picture of what they're like, and it it reveals a pretty grueling work environment. They've got a lot of attrition at the working level. There's a ton of pressure. People are some of them are remote. They're they're always expected to produce. Um, and one of the researchers uh is quoted saying the leaks paint a picture of a surprisingly normal tech

startup. And so this is what they look like. If you the the this is checkpoint did this. There's about 200 blobs there. These are people. So they were identify able to identify leadership people that are like doing HR people that are uh you know just doing their backend people doing their software development just like a startup. All right. So, let's get to the middle of March 2021. March 14th. Um, particular person at the HSSE gets a fishing email. Not a spear fishing email, just a fishing email. And I get them all the time, but the ones I get are pretty crappy. I'm never going to click on them. The ones these guys do are really good. Um, two of the themes

they use is Apple uh Apple Cards and Amazon Cards. And when you look at them, there's no spelling mistakes. All the fonts are perfect. All the graphics are perfect. So, you'd have to look at it a bit more closely to say, "Yeah, yeah, this is still good too good to be true. Why would someone be sending me this?" Um, but this particular employee, and there were others, it wasn't a mass campaign across the HSSE, but there were numbers of employees getting them. And this employee had actually received them some I think four times in the past had never clicked. But this time for whatever reason March 18th they click they get infected. That's the initial compromise

right there. And that uh that workstation is known as patient zero. Over the next five days nothing happens. March 23rd, thread actor goes in and gains persistence. So in those five days, the workstation had just been cycled off or if been something had been detected, it could have been cleaned very easily. Um, but that didn't happen. So thread actor goes back in, establishes persistence just on that workstation. March 31st, third actor goes back in and their the enterprise antivirus detects the use of Cobalt Strike. So Cobalt Strike is um penetration testing tool. It's pretty common out there. It's also common for bad guys to use it. That's why the enterprise antivirus detected it. Now that

workstation hadn't been patched in something like a year. The workstation had anti enterprise antivirus, but the signatures on the antivirus had also not been updated in something like a year, but it still detected this. It detected it and that alert just went to the floor. Now, this is kind of surprising here. Five weeks over the next five weeks, almost nothing happens. Okay? There's very little threat activity showing up in the logs. There's no reason to think there was. I think what this indicates, it goes back to that grueling work environment. These guys are infecting so many people and they're not going to have a very organized workflow, right? So, some cyber crime operator at a console

somewhere finally is like, "Okay, let's go in now." They probably had a full dance card up until then. So, five weeks later, there's uh they're leaving fingerprints of reconnaissance, lateral movement, and privilege escalation. So, this is like, okay, things are starting to get really serious here. They've they took their beach head, spread out, they've escalated privileges, so they've got admin rights in a bunch of places. Um, so this is not good. This is this is definitely a sign that things are escalating. Then a day later there's file activity. They're looking at they're basically looking to see what they can get. What kind of files are out there? What information is there? Now I've I've cleaned this up a

bit over the next few days. There's there's a few more things happening. There are alerts starting to go off. Some of the some of the hospitals are operated semiautonally autonomously and some of them are detecting activity they don't like. There's actually one hospital that goes to the center and says, "Hey, we've seen something coming from you guys, coming from corporate um and someone on the corporate side comes back and said, "No, no, no. The problem's on your end, which is not true." Um, so there's some confusion there, but it's getting serious enough that the enterprise antivirus company with their own telemetry is starting to see, oh my goodness, something serious is going on. They start emailing their

contacts within the HSC saying, hey, you've got unhandled threat events. And I would imagine the threat actor at this point is figuring out that they've been detected. And on May the 14th, you have the ransomware detonation. So what we're going to see here was a pretty huge deal in Ireland, but it didn't make the radar here very much. There's a reason for that, and that's the Colonial Pipeline compromise. So right around the time this is happening, Colonial Pipeline down the eastern US gets hit. That was a big cyber security story right there. Again, critical infrastructure being threatened. There was some thought that aviation fuel would stop flowing on the east coast, which didn't happen. But it was a

it was a pretty serious deal, and it did get a lot of uh traction in the press, and that kind of drowned this story out a bit on this side of the Atlantic here. It was still a big story in Europe. Okay. So, let's look at what happened on the day of May 14th, 100 a.m. So, the threat actor is deliberately deciding to set things off in the middle of the night in Ireland. Okay. Um, fewest people would have eyes on at that point. Makes sense. By, you know, couple hours later, the first reports are starting to hit the national service desk. So, this is like the help desk. This is not security people. This is just reports going to

the help desk. Hey, you know, I can't get my workstation to work. I got a blue screen. I, you know, and things it this part here, the next few hours is um for an organiz for an organization this size, they do seem to have responded well to something that happened in the middle of the night. Um by almost 5 in the morning, a critical incident has been invoked that would, you know, unleash internal protocols about who to contact and what meetings to stand up. Um 510 there's a call with subject matter experts and they make the decision to disconnect. So uh to staunch the bleeding they're going to disconnect and power down. 6 o'clock the CEO

notifies the board. So think about it. The CEO of this massive organization is notifying the board at 6 a.m. That means a CEO has been involved for a few hours. Media starts getting reports at 7. The uh police are brought in at 10 10:30. They've engaged some third party help. You know, a third-party incident response company. Uh by noon, a malware sample has been shared with the IR firm and 2:00 texts going out to staff and at some point during the day, a ransom is demanded of 14 million euros, so about 20 million. So, if you're a member of the HSSE, you get into work, you know, everything's off or should be off, you're going to

nothing's working, you're going to, you know, on your own Twitter, maybe if you follow HSC, you're going to see this reminder on Twitter. Um, if your workstation's on, turn it back off. And the here's a tweet from an obstetrics uh hospital that you know sending a message out. We're only doing emergency stuff today. If you got a normal appointment, don't show up. And this was common across the system with a few exceptions. All right. So, um let's look at right of boom here. After the detonation, what happens? Well, they set up a coordination center um next day offsite. Um they didn't actually have an on-site place to do this from. So um I'll get to that in a

second. By the 24th, their uh incident response um helpers have come up with a go to green process for secure recovery. So this is a way to recover the workstations. By the middle of June, half of the servers and half of the applications have been recovered. And by about a year ago, so September 21st, most of the servers and applications have been recovered. Okay, some of you might be looking at this going, I'm missing something. And I did skip something very important and that is that on May the 21st they received the decryption key. This they didn't pay the ransom. So we'll get a little bit into that but that receiving of the decryption key is

what actually allowed this whole go and recovery process to even happen. So they uh KI said we are providing the decryption t tool for your network for free but you should understand that we will sell or publish a lot of private data if you will not connect with us and try to resolve the situation. Yeah, it is more important to be lucky than good. Now uh why did this happen? The most likely scenario is that someone within the ransomware gang was like, "Oh my goodness, um, this is going to bring a lot of heat on us. This is not good for us. We got to walk this back." Um, there's some chat to to support that

theory. We don't know for sure. Um, they work they do target other healthcare organizations. Maybe it's because Ireland is kind of non-aligned. Ireland is not in NATO. Um, who knows? Okay, let's talk about the impact a bit. Devastating impact cannot be overstated. This is on Irish state media. Uh, early June. HSSE chief says cost of cyber attack could reach 100 million euro. Since then, the estimate is it might be as much as five times as high. Massive cost. Okay. So huge financial cost, but we're talking about healthcare. So let's forget about the financial cost. What's the impact on healthcare? Well, first of all, okay, so when they encrypted, um it that went pretty broad. At least

2,800 servers and 3,500 workstations encrypted, but it's probably much more. That's where they stopped counting. Um so it was it was pretty broad. And the response which they really had to do given their situation, you know, they had to disconnect and power down. Well, think in your own in in your own work, what would happen if you did that? It's going to have a big impact on your work. Of course, one of the biggest things HSSE lost its email and email was the way they primarily operated internally. um it was you know a lot of us are now doing a ton of stuff on teams that wasn't the case there. More importantly health care staff lost access to patient and patient

information and lab system. So, you know, you're going in to get a treatment and your doctor can't access your file, which in a lot of treatments that's really, really important, right? It's not just a one-off. It's it's how is the you know, especially say with with oncology. Uh on top of that, support staff lost access to financial and procurement systems. So even in recovering like okay we got to pay for this incident response for firm like they would have been having to do all this stuff without the support of their normal systems. They didn't have access even to their employee contact list. They didn't have access to their access registers or network diagrams. So think about this

like in your own in your own life you got to be ready for a power outage right? So hopefully at home you got a few flashlights. So it's like 10 o'clock at night power goes out while you're watching Netflix. Well, it doesn't do you a lot of good if you have flashlights and you don't know where they are. So, they didn't even know where their flashlights were. They they did not know, you know, what their assets were. They didn't know they didn't have their network diagrams to work from. And then what does this all lead to? When you can't access health records and and test results, that has a big impact on medical care. They had to

revert to handwritten records. They had to issue a national health care indemnity. This is the government saying health care providers, doctors, nurses, we know you don't have access to what you need, but we're going to assume the risk. We want you to carry on. And of course, the health care people wanted to carry on. They just can't provide the same standard to healthcare. And the government basically had to step forward and say, "We'll we'll assume the liability here." And there's even spill-on effects in something like this, like when a baby is born in Ireland, the information required for the birth certificate and child benefits, that was all shipped by email. So all of that ground to a

halt and then you have I big room of people here. Surely some of us have have loved ones in healthcare. You know, they've had a real tough time during CO. So these folks have been have been working through COVID and now you got another crisis thrown upon you. Then to add insult to injury, some patient records released.

[Music] Turn that one [Music]

on. Can you hear me now? Okay. All right. So, this organization couldn't have done it on their own, obviously. So, they right the Irish National Cyber Security Center, which is tiny. The Irish military actually came. This one's a bit funny. Um, so you think about the Irish military pulling up. It's like, oh, they're going to bring, you know, radios. Note, they set up a teams instance for the health care system. Um, and they also brought in, they had some some um, reservists who are white hat hackers, so they had some expertise as well. Um, AIB, Allied Irish Bank. I'll just shout out to them because they're kind of the unsung heroes there. They weren't recognized in

the uh, in the report, but one of the members of the HSSE board is the CIO of the Allied Irish Bank, biggest Irish Bank. When this h incident happened, you threw open his resources. They use their incident room, they use their staff, all for free. Um so this is a great example of a you know uh another entity recognizing the problem recognizing how important it was for the country and let's do something about it. There were there was a third party incident response provider that isn't actually spelled out in the uh report or the company hasn't identified but PWC they they do this a lot. They so they brought out their matrix of how to

analyze um what happened here. They they basically measured the HSSE's readiness uh against their framework. They conducted a pile of interviews you know people reviewed thousands of documents. So in their readiness framework of 28 elements 21 of them are noted at very high risk. So you know they in their view HSSE was doing very little to reduce their attack surface doing almost nothing to reduce dwell time or to limit blast radius only a few things for recovery. So a lot of kinetic terms there but basically you know those basic things you need to do to to have defense and depth and to and to minimize damage when compromises happen. Well they're HSSE was doing very little of

that. uh they did a a cyber maturity assessment. Not surprisingly, it came out as pretty poor. So measured against the five NIST cyber security domains. Basically, if you get a 1.0, that's like you're doing nothing. You don't get a zero, you get a one. Um so, so they're not very far along the path to cyber security health here. So they came out with this report at the end, 72 key recommendations. So, I if you've ever seen recommendations for improvement being handed out to someone, but you know, you normally tap out at four or five. Um, so 72 is a lot. Um, you know, not surprisingly, it's like we need a you need to have a sizo in there. Um, you

need to have an IT strategy that addresses all your technical debt because there's a ton of tech technical debt there. They are saying HSSE had to enhance their crisis management capabilities. So HSSE you know Iran hospitals they actually had great crisis management capabilities when it comes to mass casualty event fires, earthquakes, floods but nothing for this. Establish a suitably resourced and skilled cyber security team. And finally, build defense in depth including security monitoring, vulner vulnerability management capabilities, secured privileged access, network segmentation. List was longer than that, but those are some of the basics. All right. So there were a lot of opportun this didn't have to happen. So if we think about the initial email,

well this is the human element, you know, training, training for your staff, training for people on on hygiene on on not clicking on things you don't expect on, you know, just basic uh awareness about the cyber security threat. That's a thing you can do. Okay. Now, is it okay for an employee to click on a thing, make a mistake, and bring down a whole network? No, it's not okay. But that's your first step. Okay? You still have to have safeguards after that. So, that initial click that should have with a halfdecent endpoint uh agent that would have set up set off an alarm better than alarm. It would have been blocked. So you should block this kind of thing,

but if you don't block it, at least detect it. And if you have a way of detecting it, at least have someone dealing with that detection. Persistence being established. Well, that's another different activity. Probably involve changing registry keys. This is another thing you can try to detect, you can try to block. It's not a super hard problem. There are products that do that. Then if we go to the other steps that were taking place, reconnaissance, lateral movement, privilege escalation, all of these things involve certain techniques the threat actor is going to do, techniques that can be detected, techniques that in some cases can be blocked. So again, you want to do it wire speed if you can. You want to block

if you can, but if you don't block, at least detect and then have someone in a position to triage those detections and and have a look because there was time here. There was time here. It it wasn't the ma a matter of seconds. Um there was some time at least in this case for people to actually go okay there's something seriously going wrong. Let's take steps. Uh similarly with the file activity. So basically every step along the way there are fingerprints that the the the thread actor is leaving behind that you can detect and hopefully block. So I'm getting close to wrapping up here. This could have been way worse. Um so if the key had not been provided

they wouldn't have been able to do that recovery. uh they would have had to start from scratch and would have had you know the health care system went through weeks of extreme problems. It would have been they would have still been going through it. Um so they're lucky there. Uh medical devices weren't targeted. They could have been the malware wasn't destructive. You know could have been a worm, could have been a wiper. You've been hearing maybe a bit about wiper malware being used in in Ukraine. malware could have gone on and just started destroying files. That didn't happen. But I think what this points to, you know, organizations, if you're operating on the internet, you

got to take steps to defend yourselves. You have to invest. It takes money. And and when I say money, you know, it's money for systems, it's money for people, which often gets forgotten. And it's also putting those things together. It's your workflows. It's it's what do you do? um it's it's the processes you put in place to make those things work together. Often too often it's it's really focused just on you know a procurement of a of a system and not how you integrate it into the enterprise and how you actually get value out of it. So no surprise to everyone here, you know, to talk about cyber security, it really matters, right? Like here's an

extreme case where an an organization, a really really important one, it's just brought to its knees. the cyber security fundamentals we talk about. Okay, network segmentation being shown here, multiffactor authentication, monitoring, these things put together form multiple layers that you know it it it means you're moving away from just the perimeter. It's it's and in this case they didn't even have really have a perimeter. You know, it's having that multiple levels of defense so that when someone goes after you, and someone will go after you, you know, if they get in, they can't get in get as far as they want to. Um, and at the end of the day, threat surface vis visibility is is critical

for attack detection and mitigation. So, you need to know what you have. You need to know if you're assets are patched. You need to be looking at what's going on on those systems. You need to be able to hopefully detect, hopefully block those things that are going on. And in a lot of cases, you know, we are not talking about a zero day here. The Minister of Health at one point early on came out and said, "Oh, this was a zero day. There's nothing we could have done about it." Okay. Well, a it wasn't true. It wasn't a zero day. it was old vulnerabilities. B, even if it is a a zero day, there's still stuff you can do

because the threat actor is going to get on and do certain things like escalate privilege and that is something that can be detected. That is something the right solution you can block. Okay, so uh let's see how we're doing for time here. I guess I I burned through that a little bit faster than I thought I might, but it does leave some time for questions.

Um so yes and no. So in detail no. Um that's so there's 15 right sorry 10 or 15 pages I can't remember which of detailed text stuff that was uh redacted. We did see that um cobalt strike and mimicats were used. So mimicats is something that is used to um to dump credentials and then you can basically even if it's hashed you can sometimes harvest um the passwords from from those from that dump that hash dump. Um one of the things that is often done for privilege escalation is uh something called u elsas abuse. um that might have been what happened here. Don't know like my company we have people that are experts in that kind of

thing. So you know techniques some of the ways to the techniques keep changing but the basic techniques aren't changing that much and so our solution and others look for that kind of

thing. Any other questions? There's one way at the back.

Sure. Yeah. The unfortunately the report doesn't provide a ton of detail around that but um there were several hospitals that got compromised, but the compromises were detected and cleaned up. And it's not clear why those hospitals why that happened there and not elsewhere. Um I sus there was mention of semi autonomous hospitals and I think some of those hospitals probably had a maybe their own internal resources. Um the Department of Health, interestingly enough, was connected to this network, but they had their own they basically had their own defenses and so there was an attempt to traverse from the National Healthcare Network into the Department of Health and that was blocked, but they they did they

didn't coordinate back to the other network to say, "Hey, something bad's going on." Now, they didn't have a ton of time, but it doesn't look like that happened. So there's a re this is where uh security operations center is really important because it provides that that focal point that hub. I I ran a sock for four years and it it basically is the nerve center for something like this. It's the go-to place. You know when something's on fire you dial 911. Well if if an IT security incident is happening that's who you go to and and you have people with playbooks and they're ready to go. So maybe some of those entities had a mini version of

that. I I suspect the Department of Health did, but I I you know, I'm I'm speculating at this point. Yeah. What are they doing? Um that that's an interesting one. So 72 recommendations, they they need to spend a lot of money here and even just spending money, they don't have the horsepower to do it, so they have to bring in consultants. I tried to find out where they're at today. It's not clear at all. But this is a massive effort. So I think they will have done initial mitigations. Um but they're pro probably in not much better position than they were. Um you know this is a huge project. They have to you know modernize their network and and

simultaneously secure it. So I would imagine there are teams of consultants and a lot of money being spent to make this happen. But I I did try to find out and the information unfortunately is just not it's not there. Yeah, this is the downside of having someone like me who's, you know, I did a bunch of open source research. There is a lot about the threat actor. Um, and there's this report, but there isn't too much else. Um, well, that thing about Allied Irish Bank, I got that out of their board minutes. So, the the HSC's board minutes are are public. So, I looked at those and there's not a lot of talk about this, but but that was one of

the nuggets I was able to pick up there.

Okay, first I I do want to I I hope I didn't give the impression that it actually was conscience. I think it was risk aversion. Um I think it was possibly someone in the Russian government saying Ireland's not our problem. what are you doing? Don't know. Okay. But I mean, they've gone after other healthcare entities. Kanti uh totally mangled Costa Rica's um networks. They went after several networks in the government of Costa Rica in the winter. They're still recovering from that. So, um how much worse could this have been? Well, I think you know if if the key had not been provided all of those workstations you you it's it's damn near impossible to do recovery of

encrypted workstations if you don't have the key. Even when you get the key sometimes it doesn't work right. So there would have been a lot of healthcare records locked up. They had some kind of backups but very inconsistent. That was another thing. You got to have consistent off-site backups. They didn't have that. They had some of it. So they might have been able to partially recover, but it would have been much longer. You know, it would probably only be now that they'd be climbing out of this hole. You would have you would have had, you know, probably a year of healthcare disruption disruption pro probably longer. And you know, here they're saying 100 million maybe I saw one case saying up to 500

million euros in cost would have been even higher. It's a huge cost. Um, so yeah, it's it's one of these things where not spending on cyber security is a false economy, but it's still in spite of everything going on, it's I don't want to sound sanctimonious. I know it's hard within an enterprise. Like in healthcare, they want to spell spend money on doctors and nurses and MRIs, right? That's what they want to spend their money on. They don't want to spend the money on the on the IT in the background. But you can't have those things now without properly supporting your it. It's just a fact of life and the world hasn't completely come around

to that

yet. Any other questions? I'm so I apologize for this noise.

I'd like to think so. Um I really would love to have been a fly on the wall in the discussion that would have happened over releasing this report. There would have been quite a discussion I'm sure and I there it's not clear who because this is like I I can't emphasize this is enough. This is super unusual, right? Um, so someone really went hard to say we should do this for the good of everybody, right? Um, and maybe there was that thought that we get this out there. There'll be heat on us to actually make sure this this happens. But, you know, the public's memory is short. Um, I'll go next door. So, UK has

a similar thing. The NHS, the National Health System, they had a big hack in 2015. So that's right next door to Ireland and you know that didn't trigger anything and NHS just got hit again. So you know from a logical perspective it should it it should totally put the heat on everyone but it's also um a case of you know we've moved a little bit away from it. I don't know how much heat is on them. My guess is they're incrementally improving things. They still don't have a sizo. So, uh, one of those board, uh, minutes, someone asked, "Hey, where's the sizo?" And the answer was, "We're still coming up with the job description." Um, now everyone who works

in governments will go, "Yeah, I came from government. I understand." Yeah. Any other questions? Doesn't look like it. All right. Thanks so much. And, uh, happy 10th anniversary to Bides.