#Open journalism No news is bad news

Your contributions will help us continue to deliver the stories that are important to you

Support The Journal
Dublin: 18°C Tuesday 22 June 2021
Advertisement

Explainer: What is a decryption tool and why would hackers hand it over without receiving a ransom?

The government has stated “categorically” that no ransom has been paid.

Image: Shutterstock

HEALTH MINISTER STEPHEN Donnelly said this morning that there are “positive” signs that a decryption tool provided to the HSE may help unlock its IT systems.

The HSE shut down its IT systems last Friday after it became aware of a significant ransomware attack, with widespread disruption across the health service as a result. 

Donnelly said it’s “not clear” why the decryption tool has been made available but that it was made available on a website linked to the criminal gang involved in the hack.

He also reiterated “categorically” that no ransom had been paid by the government in relation to the hacking.

“I can tell you and your listeners categorically that no ransom has been paid by this government directly, indirectly, through any third party or in any other way. And nor will any such ransom be paid,” he told Morning Ireland

What is a decryption tool? 

Essentially, what the cybercriminals have done is encrypted the HSE’s data and sought a ransom believed to be close to €15 million

They claim to have accessed some 700 gigabytes of data including patients’ home addresses and other personal details.

Encrypting data usually jumbles it up in a way that makes it inaccessible, with a decryption tool then providing a way of accessing it. 

Speaking to The Journal, Chief Information Security Officer at Stryve Paul Delahunty said that, if an encryption is strong, it could be “next to impossible” to break it without a decryption tool. 

He cautions that, when such a tool is provided, the victim of the hack would be hoping it’s the same tool for all the files. 

If this is not the case, he explains that you may still be able to access all the files but that it could take some time. 

If they’re really clever, they may use different keys for different files and make it really complicated. What you can do, if you’ve got backups that are uncorrupted, and you’ve got the same file but the encrypted version of it, these tools can work to see if they can find the key that translates one into the other. The phrase around it is that you’ve got a ‘known plaintext’. 

Wouldn’t it be dangerous to use a decryption tool that was provided by the criminals?

Absolutely, and this is why HSE tech teams have been proceeding cautiously after receiving the decryption tool. 

The HSE said last night that “investigations would have to be completed” before it is used, with Donnelly saying today that tech teams were “testing it”. 

In practice, this would mean first testing the decryption tool on isolated systems. 

Even then, Delahunty says it’s not a case of “just rolling it out across the system”. He explains that it would have to be done “piece by piece…. making sure as they bring things back online that everything is okay.”

We’ve even got a recent public example of a decryption tool not working in the way that it should. 

Earlier this week, US company Colonial Pipeline admitted paying $4.4 million in a ransom to Russian hackers for a decryption tool that didn’t resolve the issue. 

After making the ransom payment on the night of 7 May, Colonial Pipeline received a decryption tool from the hackers but the tool so slow and unreliable that the company had to revert to restoring from their backups anyway.

The hack caused huge issues for the largest fuel pipeline system in the United States and the company justified paying the ransom on that basis, saying it was “the right thing to do for the country”. 

But assuming the decryption tool does work, why would the hackers send it on without getting a ransom? 

While it’s impossible to know for sure, there are a number of possible reasons. 

The first being that the hackers have realised they will not get a ransom anyway.

As evidenced in the case of Colonial Pipeline, cybercrime gangs more commonly target companies where a ransom is perhaps more likely to be paid. 

Brian Honan, cybersecurity expert and CEO of BH Consulting, said this was his theory. 

My analysis would be that the criminals realised they were not going to get paid the ransom to release the decryption keys. The HSE also seemed to be making progress in manually restoring their systems, so the bargaining power for the criminals from this aspect of their extortion was weakening daily.

“So, by releasing the keys they have recast the issue to focus on the threat to publish the data, while perhaps showing the criminals in a more benevolent light”

“Another reason may be the criminals realised they bit of more than they could chew by taking down a nation’s health services and the repercussions of that, I am sure not many outside Ireland realise what the HSE is and how critical it is.”

#Open journalism No news is bad news Support The Journal

Your contributions will help us continue to deliver the stories that are important to you

Support us now

Delahunty agrees, saying that the gang might want to take the focus off themselves while also accepting that they have already secured valuable personal data. 

It’s already been confirmed that patient data from the hack has appeared on the dark web and the HSE is warning people to be wary of potential scams. 

“Maybe there’s a little bit of a sense of let’s take a little bit of heat off ourselves because we’re not really relying on the ransom. We have the data we can sell that on the dark web,” Delahunty says. 

“So, it’s not a case of they don’t get their payday. They can get an even better payday by selling it off piecemeal on the dark web. Information about health is so so valuable.”

On this week’s episode of The Explainer we look at the impact of the HSE cyber hack: 


Source: The Explainer/SoundCloud

About the author:

Rónán Duffy

Read next:

COMMENTS (42)

This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
write a comment

    Leave a commentcancel