Hackers who targeted Ireland’s health service are threatening to imminently release or sell patient data in an effort to pressure the government agency to pay a US$20mil ransom.

In an online message sent on Wednesday and reviewed by Bloomberg News, the hackers told representatives of the country’s Health Service Executive that if they couldn’t reach an agreement soon, “we will start to sell and publish your data” on May 24. Previously they had threatened to release the data “very soon”.

The Irish government has “no intention” of paying a ransom, Public Expenditure minister Michael McGrath told RTE Radio on May 20.

Last week, Ireland’s hospitals were forced to shut down many of their computers after the hackers gained access to the health service’s systems, encrypted patient data so that it was inaccessible and demanded a payment to unlock the files.

The incident has paralysed some hospitals, resulting in the cancellation of services including some cancer patients’ consultations and disrupting radiology and diagnostic systems. Hospital staff have been carrying out much of their work using pen and paper instead of their computers. Emergency rooms are open but dealing with significant delays due to the fallout from the attack.

A representative for the health ministry didn’t immediately respond to a request for comment regarding the hackers’ threats. The online chats show that the hackers requested US$19,999,000 ; that figure couldn’t be confirmed with Irish authorities.

The attack in Ireland comes on the heels of several high-profile ransomware attacks in the US, including a breach of Colonial Pipeline Co that squeezed fuel supplies along the East Coast, leading to higher prices and long lines at gas stations. A separate attack on Scripps Health in San Diego has slowed the pace of care and forced the diversion of some patients to other facilities, according to the San Diego Union-Tribune.

In ransomware attacks, hackers encrypt a victim’s computer files and then demand payment to unlock them. Some ransomware gangs now steal victims’ files too and threaten to publish them if payment demands aren’t met, a type of double extortion.

The hackers who targeted the Irish health service call themselves the “ContiLocker Team” and use a strain of ransomware known as Conti to break into victims’ computers and extort payments. Conti usually publishes stolen documents on its website on the dark web when a victim refuses to pay.

The group is also known as “Wizard Spider”. According to the security firm CrowdStrike Holdings Inc, Wizard Spider is a Russian criminal group that has become increasingly pervasive in the last year. A CrowdStrike report published in October described Wizard Spider as an “established, high-profile and sophisticated” group, which “has made significant improvements to their arsenal recently and has both developed new tools and modified existing ones”.

In online chats reviewed by Bloomberg News, the hackers told representatives of the health service on May 14 that they had “infiltrated your network and stayed in it for more than two weeks”. They said they had obtained 700 gigabytes of data, including personal data of patients, employees, contracts, financial statements and payroll details.

Asked to provide proof by representatives of the health authority, the hackers sent a link to a sample of the data they said they had obtained. The sample included 27 files, including patient medical records, notes about a paediatric hematology palliative care meeting, procurement records and other confidential details, according to a list of the files reviewed by Bloomberg News.

The 27 sample files haven’t been published for anyone to freely download on the Internet. Rather, cybersecurity researchers obtained copies from the hackers and shared portions of them with reporters.

Ireland’s health service has so far refused to pay any ransom and has said it is working to restore its computers. “This work will take many weeks and we anticipate major disruption will continue due to the shutdown of our IT systems,” the organisation said in a statement on Wednesday. “We should start to see some early signs of recovery in some sites over the coming days.”

 - Bloomberg