HSE Ireland ransomware (Conti)
Conti ransomware paralysed Ireland's Health Service Executive, forcing cancellation of outpatient appointments nationwide for weeks. Conti released the decryptor for free; recovery still cost an estimated €100M+.
- Victim
- Health Service Executive (HSE) of Ireland
- Loss
- $130.0M
- records
- 700.0K
- users
- 80.0K
On the morning of 14 May 2021, Ireland's Health Service Executive — the national authority responsible for public healthcare across the Republic — discovered that the Conti ransomware crew had encrypted servers across the HSE estate during the night. By morning, hospitals from Dublin to Cork were operating on paper, outpatient appointments were cancelled nationwide, and the Irish government was making the public decision to refuse the ransom demand.
What happened
The intrusion began with a single spearphishing email opened by an HSE employee on 18 March 2021. The attached Excel document contained malicious macros that dropped a Cobalt Strike beacon. From that single foothold, Conti operators spent eight weeks of unimpeded dwell time on the HSE network:
- The HSE network had no meaningful segmentation between the 70,000-endpoint estate spanning hospitals, central administration, and primary care.
- Domain admin credentials were obtained within days.
- The independent PwC post-incident report later identified that the HSE's antivirus solution flagged Conti activity on multiple occasions during the dwell period, but the alerts were not triaged because there was no 24×7 SOC.
- Approximately 700 GB of patient data was exfiltrated in the days before the encryption event.
At approximately 04:00 on 14 May 2021, the Conti operators detonated the encryptor across HSE servers nationwide. The HSE's immediate response was unprecedented in scale: it took all IT systems across the public health service offline as a precaution against further spread.
Impact
- Hospitals and clinics nationwide: all running on paper for weeks. Lab results, imaging, prescription records, appointment scheduling, payroll — everything was disrupted.
- Outpatient appointments: cancelled for several weeks; cancer care, diagnostic imaging, and elective procedures affected nationwide.
- ~700 GB of patient and employee data exfiltrated, including birth records, medical histories, and child protection information. ~80,000 individuals were ultimately notified of their data being directly involved.
- Independent PwC post-mortem estimated the total cost at €100M+, with the majority falling on IT rebuild and external incident response.
- The disclosed data is still circulating on dark-web forums years later.
The unpaid ransom
Conti demanded $20 million in bitcoin. Within hours, Taoiseach (PM) Micheál Martin publicly stated that the Irish government would not pay. Six days later, Conti unexpectedly published the decryption key for free, citing "humanitarian reasons" after the U.S. and Irish governments had publicly applied pressure.
The decryptor worked but recovery was slow — at HSE's scale and with the network architecture's limited backup integrity, restoring 70,000 endpoints and rebuilding the network's trust took months, not days. Conti also continued to leak patient records selectively to maintain pressure despite providing the decryptor — a calculated reputational attack rather than a recovery option.
Attribution
The operation was attributed to the Conti ransomware operation early in the incident. The Conti Leaks of February 2022 — 170,000 internal Jabber messages from a Ukrainian insider — later confirmed the operation's organisational structure and named multiple Conti members.
In February 2023, the U.S. and U.K. jointly sanctioned seven Conti / TrickBot operators, with Vitaly Kovalev (Stern) identified as the CEO-equivalent of the operation.
Why it matters
HSE is the canonical case for ransomware against a national healthcare system that refused to pay. It established:
- That a national government can publicly refuse a ransom and still recover, given enough resilience and external support.
- That ransom-refusal does not stop secondary leaks: Conti continued to release stolen records years later.
- That network segmentation is not a luxury for healthcare networks — Conti's eight-week dwell time on the HSE network was a function of one flat L2 broadcast domain across 70,000 endpoints.
The HSE's published post-incident report (PwC) is one of the most-cited public ransomware incident reports in healthcare cybersecurity and remains required reading for any large healthcare operator.
Financial impact
Reported costs in USD
- Business loss$30.0M
- Remediation$100.0M
Timeline
An HSE employee opens a malicious Excel attachment in a spearphishing email. Conti initial-access broker (TA551) drops a Cobalt Strike beacon.
Eight weeks of dwell time. Conti operators harvest domain credentials, move laterally across HSE's national network (which lacked segmentation between hospitals and central administration), and stage data exfiltration.
Approximately 700GB of HSE data exfiltrated to attacker-controlled infrastructure.
Conti detonates ransomware across HSE servers at ~4am local time. Hospitals begin discovering encrypted systems as staff arrive for morning shifts.
HSE makes the unprecedented decision to take all IT systems offline nationwide to prevent further propagation. Outpatient appointments cancelled nationally.
Conti demands $20M ransom. Irish Taoiseach Micheál Martin publicly refuses to pay.
Conti unexpectedly releases the decryption key for free, citing 'humanitarian reasons' after the U.S. and Irish governments publicly demand it.
Conti begins selectively leaking patient records to pressure HSE despite providing the decryptor.
PwC's independent review estimates the total impact at €100M+ in direct response and recovery.
U.S./U.K. OFAC jointly sanction Vitaly Kovalev ('Stern') and six other Conti / TrickBot operators.
Sources
- hse.iehttps://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf
- bbc.comhttps://www.bbc.com/news/world-europe-57184977
- justice.govhttps://www.justice.gov/opa/pr/us-and-uk-disrupt-trickbot-malware